an access control policy is developed and documented;
+the access control policy is disseminated to
access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
+the access control procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current access control policy is reviewed and updated
the current access control policy is reviewed and updated following
the current access control procedures are reviewed and updated
the current access control procedures are reviewed and updated following
account types allowed for use within the system are defined and documented;
+account types specifically prohibited for use within the system are defined and documented;
+account managers are assigned;
+authorized users of the system are specified;
+group and role membership are specified;
+access authorizations (i.e., privileges) are specified for each account;
+approvals are required by
accounts are created in accordance with
accounts are enabled in accordance with
accounts are modified in accordance with
accounts are disabled in accordance with
accounts are removed in accordance with
the use of accounts is monitored;
+account managers and
account managers and
account managers and
access to the system is authorized based on a valid access authorization;
+access to the system is authorized based on intended system usage;
+access to the system is authorized based on
accounts are reviewed for compliance with account management requirements
a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+account management processes are aligned with personnel termination processes;
+account management processes are aligned with personnel transfer processes.
+the management of system accounts is supported using
temporary and emergency accounts are automatically
accounts are disabled within
accounts are disabled within
accounts are disabled within
accounts are disabled within
account creation is automatically audited;
+account modification is automatically audited;
+account enabling is automatically audited;
+account disabling is automatically audited;
+account removal actions are automatically audited.
+users are required to log out when
privileged user accounts are established and administered in accordance with
privileged role or attribute assignments are monitored;
+changes to roles or attributes are monitored;
+access is revoked when privileged role or attribute assignments are no longer appropriate.
+the use of shared and group accounts is only permitted if
system accounts are monitored for
atypical usage of system accounts is reported to
accounts of individuals are disabled within
approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.
+dual authorization is enforced for
access to
a role-based access control policy is enforced over defined subjects;
+a role-based access control policy is enforced over defined objects;
+access is controlled based on
revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on
revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on
information is released outside of the system only if the receiving
information is released outside of the system only if
an audited override of automated access control mechanisms is employed under
access to data repositories containing
as part of the installation process, applications are required to assert the access needed to the following system applications and functions:
an enforcement mechanism to prevent unauthorized access is provided;
+access changes after initial installation of the application are approved.
+the attribute-based access control policy is enforced over defined subjects;
+the attribute-based access control policy is enforced over defined objects;
+access is controlled based on
approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on
protected processing domains are used to enforce
encrypted information is prevented from bypassing
information flow control enforcement is based on
one-way information flows are enforced through hardware-based flow control mechanisms.
+information flow control is enforced using
information flow control is enforced using
human reviews are used for
capability is provided for privileged administrators to enable and disable
capability is provided for privileged administrators to enable and disable
capability is provided for privileged administrators to configure
capability is provided for privileged administrators to configure
when transferring information between different security domains,
when transferring information between different security domains, information is decomposed into
when transferring information between different security domains, implemented
when transferring information between different security domains, implemented
when transferring information between different security domains, information is examined for the presence of
when transferring information between different security domains, transfer of
when transferring information between different security domains, transfer of
source and destination points are uniquely identified and authenticated by
when transferring information between different security domains,
when transferring information between different security domains,
information flows are separated logically using
information flows are separated physically using
access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains.
+when transferring information between security domains, non-releasable information is modified by implementing
when transferring information between different security domains, incoming data is parsed into an internal, normalized format;
+when transferring information between different security domains, the data is regenerated to be consistent with its intended specification.
+when transferring information between different security domains, data is sanitized to minimize
when transferring information between different security domains, content-filtering actions are recorded and audited;
+when transferring information between different security domains, results for the information being filtered are recorded and audited.
+when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type.
+when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls.
+when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors;
+when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order;
+when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with
when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented.
+when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented.
+when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content;
+when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata;
+when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering;
+when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline.
+system access authorizations to support separation of duties are defined.
+the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
+access is authorized for
access is authorized for
access is authorized for
access is authorized for
users of system accounts (or roles) with access to
network access to
the rationale for authorizing network access to privileged commands is documented in the security plan for the system.
+separate processing domains are provided to enable finer-grain allocation of user privileges.
+privileged accounts on the system are restricted to
privileged access to the system by non-organizational users is prohibited.
+privileges assigned to
privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.
+the execution of privileged functions is logged.
+non-privileged users are prevented from executing privileged functions.
+a limit of
automatically
information is purged or wiped from
unsuccessful biometric logon attempts are limited to
a limit of
the system use notification states that users are accessing a U.S. Government system;
+the system use notification states that system usage may be monitored, recorded, and subject to audit;
+the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
+the system use notification states that use of the system indicates consent to monitoring and recording;
+the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;
+for publicly accessible systems, system use information
for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;
+for publicly accessible systems, a description of the authorized uses of the system is included.
+the user is notified, upon successful logon to the system, of the date and time of the last logon.
+the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
+the user is notified, upon successful logon, of the number of
the user is notified, upon successful logon, of changes to
the user is notified, upon successful logon, of
the number of concurrent sessions for each
further access to the system is prevented by
device lock is retained until the user re-establishes access using established identification and authentication procedures.
+information previously visible on the display is concealed, via device lock, with a publicly viewable image.
+a user session is automatically terminated after
a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to
an explicit logout message is displayed to users indicating the termination of authenticated communication sessions.
+an explicit message to users is displayed indicating that the session will end in
user actions not requiring identification or authentication are documented in the security plan for the system;
+a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.
+the means to associate
the means to associate
attribute associations are made;
+attribute associations are retained with the information;
+the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for
the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for
the following permitted attribute values or ranges for each of the established attributes are determined:
changes to attributes are audited;
+security attributes are dynamically associated with
security attributes are dynamically associated with
privacy attributes are dynamically associated with
privacy attributes are dynamically associated with
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes;
+authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes.
+the association and integrity of
the association and integrity of
the association and integrity of
the association and integrity of
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate
authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate
security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify
privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify
personnel are required to associate and maintain the association of
personnel are required to associate and maintain the association of
personnel are required to associate and maintain the association of
personnel are required to associate and maintain the association of
a consistent interpretation of security attributes transmitted between distributed system components is provided;
+a consistent interpretation of privacy attributes transmitted between distributed system components is provided.
+security attributes associated with information are changed only via regrading mechanisms validated using
privacy attributes associated with information are changed only via regrading mechanisms validated using
authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects;
+authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects.
+usage restrictions are established and documented for each type of remote access allowed;
+configuration/connection requirements are established and documented for each type of remote access allowed;
+implementation guidance is established and documented for each type of remote access allowed;
+each type of remote access to the system is authorized prior to allowing such connections.
+automated mechanisms are employed to monitor remote access methods;
+automated mechanisms are employed to control remote access methods.
+cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.
+remote accesses are routed through authorized and managed network access control points.
+the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;
+access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;
+the execution of privileged commands via remote access is authorized only for the following needs:
access to security-relevant information via remote access is authorized only for the following needs:
the rationale for remote access is documented in the security plan for the system.
+information about remote access mechanisms is protected from unauthorized use and disclosure.
+the capability to disconnect or disable remote access to the system within
configuration requirements are established for each type of wireless access;
+connection requirements are established for each type of wireless access;
+implementation guidance is established for each type of wireless access;
+each type of wireless access to the system is authorized prior to allowing such connections.
+wireless access to the system is protected using authentication of
wireless access to the system is protected using encryption.
+when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.
+users allowed to independently configure wireless networking capabilities are identified;
+users allowed to independently configure wireless networking capabilities are explicitly authorized.
+radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;
+transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.
+configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+the connection of mobile devices to organizational systems is authorized.
+the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official;
+prohibition of the connection of unclassified mobile devices to classified systems is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;
+approval by the authorizing official for the connection of unclassified mobile devices to unclassified systems is enforced on individuals permitted to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;
+prohibition of the use of internal or external modems or wireless interfaces within unclassified mobile devices is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;
+random review and inspection of unclassified mobile devices and the information stored on those devices by
following of the incident handling policy is enforced if classified information is found during a random review and inspection of unclassified mobile devices;
+the connection of classified mobile devices to classified systems is restricted in accordance with
the use of
authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);
+authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).
+the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using
the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using
the use of
the use of organization-controlled portable storage devices by authorized individuals is prohibited on external systems.
+authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for
information search and retrieval services that enforce
designated individuals are authorized to make information publicly accessible;
+authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;
+the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;
+the content on the publicly accessible system is reviewed for non-public information
non-public information is removed from the publicly accessible system, if discovered.
+access control decisions are enforced based on
access control decisions are enforced based on
a reference monitor is implemented for
an awareness and training policy is developed and documented;
+the awareness and training policy is disseminated to
awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;
+the awareness and training procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current awareness and training policy is reviewed and updated
the current awareness and training policy is reviewed and updated following
the current awareness and training procedures are reviewed and updated
the current awareness and training procedures are reviewed and updated following
security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+security literacy training is provided to system users (including managers, senior executives, and contractors)
privacy literacy training is provided to system users (including managers, senior executives, and contractors)
security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following
privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following
literacy training and awareness content is updated
literacy training and awareness content is updated following
lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.
+practical exercises in literacy training that simulate events and incidents are provided.
+literacy training on recognizing potential indicators of insider threat is provided;
+literacy training on reporting potential indicators of insider threat is provided.
+literacy training on recognizing potential and actual instances of social engineering is provided;
+literacy training on reporting potential and actual instances of social engineering is provided;
+literacy training on recognizing potential and actual instances of social mining is provided;
+literacy training on reporting potential and actual instances of social mining is provided.
+literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using
literacy training on the advanced persistent threat is provided.
+literacy training on the cyber threat environment is provided;
+system operations reflects current cyber threat information.
+role-based security training is provided to
role-based privacy training is provided to
role-based security training is provided to
role-based privacy training is provided to
role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+role-based training content is updated
role-based training content is updated following
lessons learned from internal or external security incidents or breaches are incorporated into role-based training.
+practical exercises in security training that reinforce training objectives are provided;
+practical exercises in privacy training that reinforce training objectives are provided.
+information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;
+information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;
+individual training records are retained for
feedback on organizational training results is provided
an audit and accountability policy is developed and documented;
+the audit and accountability policy is disseminated to
audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;
+the audit and accountability procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current audit and accountability policy is reviewed and updated
the current audit and accountability policy is reviewed and updated following
the current audit and accountability procedures are reviewed and updated
the current audit and accountability procedures are reviewed and updated following
the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
+the specified event types are logged within the system
a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;
+the event types selected for logging are reviewed and updated
audit records contain information that establishes what type of event occurred;
+audit records contain information that establishes when the event occurred;
+audit records contain information that establishes where the event occurred;
+audit records contain information that establishes the source of the event;
+audit records contain information that establishes the outcome of the event;
+audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
+generated audit records contain the following
personally identifiable information contained in audit records is limited to
audit log storage capacity is allocated to accommodate
audit logs are transferred
a warning is provided to
an alert is provided within
configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity are enforced;
+network traffic is
an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements
system audit records are reviewed and analyzed
findings are reported to
the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
+audit record review, analysis, and reporting processes are integrated using
audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.
+the capability to centrally review and analyze audit records from multiple components within the system is provided;
+the capability to centrally review and analyze audit records from multiple components within the system is implemented.
+analysis of audit records is integrated with analysis of
information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
+the permitted actions for each
a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed.
+information from non-technical sources is correlated with audit record information to enhance organization-wide situational awareness.
+an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
+an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
+an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;
+an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.
+the capability to process, sort, and search audit records for events of interest based on
the capability to process, sort, and search audit records for events of interest based on
internal system clocks are used to generate timestamps for audit records;
+timestamps are recorded for audit records that meet
audit information and audit logging tools are protected from unauthorized access, modification, and deletion;
+audit trails are written to hardware-enforced, write-once media.
+audit records are stored
cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.
+access to management of audit logging functionality is authorized only to
dual authorization is enforced for the
read-only access to audit information is authorized to
audit information is stored on a component running a different operating system than the system or component being audited.
+irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed
the identity of the information producer is bound with the information to
the means for authorized individuals to determine the identity of the producer of the information is provided.
+the binding of the information producer identity to the information is validated at
reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released.
+the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between
audit records are retained for
audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by
audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.
+audit records from
a system-wide (logical or physical) audit trail composed of audit records is produced in a standardized format.
+the capability for
the capability for
the capability to audit the parameters of user query events for data sets containing personally identifiable information is provided;
+the capability to audit the parameters of user query events for data sets containing personally identifiable information is implemented.
+open-source information and information sites are monitored using
the list of open-source information sites being monitored is reviewed
discovery techniques, processes, and tools are employed to determine if external entities are replicating organizational information in an unauthorized manner.
+the capability for
session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
+session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
+session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
+session audits are initiated automatically at system start-up.
+the capability for authorized users to remotely view and hear content related to an established user session in real time is provided;
+the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented.
+the identity of individuals in cross-organizational audit trails is preserved.
+cross-organizational audit information is provided to
an assessment, authorization, and monitoring policy is developed and documented;
+the assessment, authorization, and monitoring policy is disseminated to
assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;
+the assessment, authorization, and monitoring procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current assessment, authorization, and monitoring policy is reviewed and updated
the current assessment, authorization, and monitoring policy is reviewed and updated following
the current assessment, authorization, and monitoring procedures are reviewed and updated
the current assessment, authorization, and monitoring procedures are reviewed and updated following
an appropriate assessor or assessment team is selected for the type of assessment to be conducted;
+a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;
+a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;
+a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;
+a control assessment plan is developed that describes the scope of the assessment, including the assessment team;
+a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;
+the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
+controls are assessed in the system and its environment of operation
controls are assessed in the system and its environment of operation
a control assessment report is produced that documents the results of the assessment;
+the results of the control assessment are provided to
independent assessors or assessment teams are employed to conduct control assessments.
+the results of control assessments performed by
the exchange of information between the system and other systems is approved and managed using
the interface characteristics are documented as part of each exchange agreement;
+security requirements are documented as part of each exchange agreement;
+privacy requirements are documented as part of each exchange agreement;
+controls are documented as part of each exchange agreement;
+responsibilities for each system are documented as part of each exchange agreement;
+the impact level of the information communicated is documented as part of each exchange agreement;
+agreements are reviewed and updated
individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.
+transitive (downstream) information exchanges with other systems through the systems identified in CA-03a are identified;
+measures are taken to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.
+a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;
+existing plan of action and milestones are updated
a senior official is assigned as the authorizing official for the system;
+a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;
+before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;
+before commencing operations, the authorizing official for the system authorizes the system to operate;
+the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
+the authorizations are updated
a joint authorization process is employed for the system;
+the joint authorization process employed for the system includes multiple authorizing officials from the same organization conducting the authorization.
+a joint authorization process is employed for the system;
+the joint authorization process employed for the system includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.
+a system-level continuous monitoring strategy is developed;
+system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;
+system-level continuous monitoring includes establishment of the following system-level metrics to be monitored:
system-level continuous monitoring includes established
system-level continuous monitoring includes established
system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;
+system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
+system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;
+system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;
+system-level continuous monitoring includes reporting the security status of the system to
system-level continuous monitoring includes reporting the privacy status of the system to
independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.
+trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data;
+trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data;
+trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data.
+effectiveness monitoring is included in risk monitoring;
+compliance monitoring is included in risk monitoring;
+change monitoring is included in risk monitoring.
+penetration testing is conducted
an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.
+the penetration testing process includes
internal connections of
for each internal connection, the interface characteristics are documented;
+for each internal connection, the security requirements are documented;
+for each internal connection, the privacy requirements are documented;
+for each internal connection, the nature of the information communicated is documented;
+internal system connections are terminated after
the continued need for each internal connection is reviewed
security compliance checks are performed on constituent system components prior to the establishment of the internal connection;
+privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection.
+a configuration management policy is developed and documented;
+the configuration management policy is disseminated to
configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;
+the configuration management procedures are disseminated to
the
the
the
the
the
the
the
the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+the
the current configuration management policy is reviewed and updated
the current configuration management policy is reviewed and updated following
the current configuration management procedures are reviewed and updated
the current configuration management procedures are reviewed and updated following
a current baseline configuration of the system is developed and documented;
+a current baseline configuration of the system is maintained under configuration control;
+the baseline configuration of the system is reviewed and updated
the baseline configuration of the system is reviewed and updated when required due to
the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.
+the currency of the baseline configuration of the system is maintained using
the completeness of the baseline configuration of the system is maintained using
the accuracy of the baseline configuration of the system is maintained using
the availability of the baseline configuration of the system is maintained using
a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained;
+a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained.
+the types of changes to the system that are configuration-controlled are determined and documented;
+proposed configuration-controlled changes to the system are reviewed;
+proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;
+configuration change decisions associated with the system are documented;
+approved configuration-controlled changes to the system are implemented;
+records of configuration-controlled changes to the system are retained for
activities associated with configuration-controlled changes to the system are monitored;
+activities associated with configuration-controlled changes to the system are reviewed;
+configuration change control activities are coordinated and overseen by
the configuration control element convenes
changes to the system are tested before finalizing the implementation of the changes;
+changes to the system are validated before finalizing the implementation of the changes;
+changes to the system are documented before finalizing the implementation of the changes.
+changes to the current system baseline are implemented using
the updated baseline is deployed across the installed base using
cryptographic mechanisms used to provide
changes to the system are reviewed
changes to the configuration of the system are prevented or restricted under
changes to the system are analyzed to determine potential security impacts prior to change implementation;
+changes to the system are analyzed to determine potential privacy impacts prior to change implementation.
+changes to the system are analyzed in a separate test environment before implementation in an operational environment;
+changes to the system are analyzed for security impacts due to flaws;
+changes to the system are analyzed for privacy impacts due to flaws;
+changes to the system are analyzed for security impacts due to weaknesses;
+changes to the system are analyzed for privacy impacts due to weaknesses;
+changes to the system are analyzed for security impacts due to incompatibility;
+changes to the system are analyzed for privacy impacts due to incompatibility;
+changes to the system are analyzed for security impacts due to intentional malice;
+changes to the system are analyzed for privacy impacts due to intentional malice.
+the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;
+the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;
+the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;
+the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;
+the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;
+the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.
+physical access restrictions associated with changes to the system are defined and documented;
+physical access restrictions associated with changes to the system are approved;
+physical access restrictions associated with changes to the system are enforced;
+logical access restrictions associated with changes to the system are defined and documented;
+logical access restrictions associated with changes to the system are approved;
+logical access restrictions associated with changes to the system are enforced.
+access restrictions for change are enforced using
audit records of enforcement actions are automatically generated.
+dual authorization for implementing changes to
dual authorization for implementing changes to
privileges to change system components within a production or operational environment are limited;
+privileges to change system-related information within a production or operational environment are limited;
+privileges are reviewed
privileges are reevaluated
privileges to change software resident within software libraries are limited.
+configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using
the configuration settings documented in CM-06a are implemented;
+any deviations from established configuration settings for
any deviations from established configuration settings for
changes to the configuration settings are monitored in accordance with organizational policies and procedures;
+changes to the configuration settings are controlled in accordance with organizational policies and procedures.
+configuration settings for
configuration settings for
configuration settings for
the system is configured to provide only
the use of
the use of
the use of
the use of
the use of
the system is reviewed
program execution is prevented in accordance with
an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system;
+the list of unauthorized software programs is reviewed and updated
a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;
+the list of authorized software programs is reviewed and updated
the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of
the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of
the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code;
+exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational requirements;
+exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official.
+the use or connection of unauthorized hardware components is prohibited;
+the list of authorized hardware components is reviewed and updated
an inventory of system components that accurately reflects the system is developed and documented;
+an inventory of system components that includes all components within the system is developed and documented;
+an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;
+an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;
+an inventory of system components that includes
the system component inventory is reviewed and updated
the inventory of system components is updated as part of component installations;
+the inventory of system components is updated as part of component removals;
+the inventory of system components is updated as part of system updates.
+the presence of unauthorized hardware within the system is detected using
the presence of unauthorized software within the system is detected using
the presence of unauthorized firmware within the system is detected using
individuals responsible and accountable for administering system components are identified by
assessed component configurations are included in the system component inventory;
+any approved deviations to current deployed configurations are included in the system component inventory.
+a centralized repository for the system component inventory is provided.
+system components are assigned to a system;
+an acknowledgement of the component assignment is received from
a configuration management plan for the system is developed and documented;
+a configuration management plan for the system is implemented;
+the configuration management plan addresses roles;
+the configuration management plan addresses responsibilities;
+the configuration management plan addresses configuration management processes and procedures;
+the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;
+the configuration management plan establishes a process for managing the configuration of the configuration items;
+the configuration management plan defines the configuration items for the system;
+the configuration management plan places the configuration items under configuration management;
+the configuration management plan is reviewed and approved by
the configuration management plan is protected from unauthorized disclosure;
+the configuration management plan is protected from unauthorized modification.
+the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development.
+software and associated documentation are used in accordance with contract agreements and copyright laws;
+the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;
+the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
+software installation policies are enforced through
compliance with
user installation of software is allowed only with explicit privileged status.
+compliance with software installation policies is enforced using
compliance with software installation policies is monitored using
the location of
the specific system components on which
the specific system components on which
the users who have access to the system and system components where
the users who have access to the system and system components where
changes to the location (i.e., system or system components) where
changes to the location (i.e., system or system components) where
automated tools are used to identify
a map of system data actions is developed and documented.
+the installation of
the installation of
a contingency planning policy is developed and documented;
+the contingency planning policy is disseminated to
contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;
+the contingency planning procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current contingency planning policy is reviewed and updated
the current contingency planning policy is reviewed and updated following
the current contingency planning procedures are reviewed and updated
the current contingency planning procedures are reviewed and updated following
a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;
+a contingency plan for the system is developed that provides recovery objectives;
+a contingency plan for the system is developed that provides restoration priorities;
+a contingency plan for the system is developed that provides metrics;
+a contingency plan for the system is developed that addresses contingency roles;
+a contingency plan for the system is developed that addresses contingency responsibilities;
+a contingency plan for the system is developed that addresses assigned individuals with contact information;
+a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
+a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;
+a contingency plan for the system is developed that addresses the sharing of contingency information;
+a contingency plan for the system is developed that is reviewed by
a contingency plan for the system is developed that is approved by
copies of the contingency plan are distributed to
copies of the contingency plan are distributed to
contingency planning activities are coordinated with incident handling activities;
+the contingency plan for the system is reviewed
the contingency plan is updated to address changes to the organization, system, or environment of operation;
+the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;
+contingency plan changes are communicated to
contingency plan changes are communicated to
lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;
+lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;
+the contingency plan is protected from unauthorized disclosure;
+the contingency plan is protected from unauthorized modification.
+contingency plan development is coordinated with organizational elements responsible for related plans.
+capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;
+capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;
+capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.
+the resumption of
the continuance of
continuity is sustained until full system restoration at primary processing and/or storage sites.
+the transfer of
operational continuity is sustained until full system restoration at primary processing and/or storage sites.
+the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
+critical system assets supporting
contingency training is provided to system users consistent with assigned roles and responsibilities within
contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+contingency training is provided to system users consistent with assigned roles and responsibilities
the contingency plan training content is reviewed and updated
the contingency plan training content is reviewed and updated following
simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.
+mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment.
+the contingency plan for the system is tested
the contingency plan test results are reviewed;
+corrective actions are initiated, if needed.
+contingency plan testing is coordinated with organizational elements responsible for related plans.
+the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;
+the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.
+the contingency plan is tested using
a full recovery of the system to a known state is included as part of contingency plan testing;
+a full reconstitution of the system to a known state is included as part of contingency plan testing.
+an alternate storage site is established;
+establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;
+the alternate storage site provides controls equivalent to that of the primary site.
+an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.
+the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;
+the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.
+potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;
+explicit mitigation actions to address identified accessibility problems are outlined.
+an alternate processing site, including necessary agreements to permit the transfer and resumption of
the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within
the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within
controls provided at the alternate processing site are equivalent to those at the primary site.
+an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.
+potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;
+explicit mitigation actions to address identified accessibility problems are outlined.
+alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.
+the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.
+circumstances that preclude returning to the primary processing site are planned for;
+circumstances that preclude returning to the primary processing site are prepared for.
+alternate telecommunications services, including necessary agreements to permit the resumption of
primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;
+alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;
+Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.
+alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.
+alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.
+primary telecommunications service providers are required to have contingency plans;
+alternate telecommunications service providers are required to have contingency plans;
+provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;
+evidence of contingency testing by providers is obtained
evidence of contingency training by providers is obtained
alternate telecommunications services are tested
backups of user-level information contained in
backups of system-level information contained in the system are conducted
backups of system documentation, including security- and privacy-related documentation are conducted
the confidentiality of backup information is protected;
+the integrity of backup information is protected;
+the availability of backup information is protected.
+backup information is tested
backup information is tested
a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.
+backup copies of
system backup information is transferred to the alternate storage site for
system backup information is transferred to the alternate storage site
system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system;
+system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations.
+dual authorization for the deletion or destruction of
cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of
the recovery of the system to a known state is provided within
a reconstitution of the system to a known state is provided within
transaction recovery is implemented for systems that are transaction-based.
+the capability to restore system components within
system components used for recovery and reconstitution are protected.
+the capability to employ
a safe mode of operation is entered with
an identification and authentication policy is developed and documented;
+the identification and authentication policy is disseminated to
identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;
+the identification and authentication procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current identification and authentication policy is reviewed and updated
the current identification and authentication policy is reviewed and updated following
the current identification and authentication procedures are reviewed and updated
the current identification and authentication procedures are reviewed and updated following
organizational users are uniquely identified and authenticated;
+the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.
+multi-factor authentication is implemented for access to privileged accounts.
+multi-factor authentication for access to non-privileged accounts is implemented.
+users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.
+multi-factor authentication is implemented for
multi-factor authentication is implemented for
replay-resistant authentication mechanisms for access to
a single sign-on capability is provided for
Personal Identity Verification-compliant credentials are accepted and electronically verified.
+dynamic address allocation lease information assigned to devices where addresses are allocated dynamically are standardized in accordance with
dynamic address allocation lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with
lease information is audited when assigned to a device.
+device identification and authentication are handled based on attestation by
system identifiers are managed by receiving authorization from
system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;
+system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;
+system identifiers are managed by preventing reuse of identifiers for
the use of system account identifiers that are the same as public identifiers is prohibited for individual accounts.
+individual identifiers are managed by uniquely identifying each individual as
individual identifiers are dynamically managed in accordance with
cross-organization management of identifiers is coordinated with
pairwise pseudonymous identifiers are generated.
+the attributes for each uniquely identified individual, device, or service are maintained in
system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;
+system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;
+system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;
+system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;
+system authenticators are managed through the change of default authenticators prior to first use;
+system authenticators are managed through the change or refreshment of authenticators
system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;
+system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;
+system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;
+system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.
+for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated
for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);
+for password-based authentication, passwords are only transmitted over cryptographically protected channels;
+for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;
+for password-based authentication, immediate selection of a new password is required upon account recovery;
+for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;
+for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;
+for password-based authentication,
authorized access to the corresponding private key is enforced for public key-based authentication;
+the authenticated identity is mapped to the account of the individual or group for public key-based authentication;
+when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;
+when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.
+developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation.
+authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.
+unencrypted static authenticators are not embedded in applications or other forms of static storage.
+identities and authenticators are dynamically bound using
mechanisms that satisfy
the use of cached authenticators is prohibited after
an organization-wide methodology for managing the content of PKI trust stores is employed across all platforms, including networks, operating systems, browsers, and applications for PKI-based authentication.
+only General Services Administration-approved products and services are used for identity, credential, and access management.
+the issuance of
presentation attack detection mechanisms are employed for biometric-based authentication.
+the passwords are protected using
the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
+mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.
+non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.
+Personal Identity Verification-compliant credentials from other federal agencies are accepted;
+Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.
+only external authenticators that are NIST-compliant are accepted;
+a list of accepted external authenticators is documented;
+a list of accepted external authenticators is maintained.
+there is conformance with
federated or PKI credentials that meet
federated or PKI credentials that meet
individuals accessing the system are required to employ
users are required to re-authenticate when
users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;
+user identities are resolved to a unique individual;
+identity evidence is collected;
+identity evidence is validated;
+identity evidence is verified.
+the registration process to receive an account for logical access includes supervisor or sponsor authorization.
+evidence of individual identification is presented to the registration authority.
+the presented identity evidence is validated and verified through
the validation and verification of identity evidence is conducted in person before a designated registration authority.
+a
externally proofed identities are accepted
an incident response policy is developed and documented;
+the incident response policy is disseminated to
incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;
+the incident response procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current incident response policy is reviewed and updated
the current incident response policy is reviewed and updated following
the current incident response procedures are reviewed and updated
the current incident response procedures are reviewed and updated following
incident response training is provided to system users consistent with assigned roles and responsibilities within
incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+incident response training is provided to system users consistent with assigned roles and responsibilities
incident response training content is reviewed and updated
incident response training content is reviewed and updated following
simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.
+an incident response training environment is provided using
incident response training on how to identify and respond to a breach is provided;
+incident response training on the organization’s process for reporting a breach is provided.
+the effectiveness of the incident response capability for the system is tested
the incident response capability is tested using
incident response testing is coordinated with organizational elements responsible for related plans.
+qualitative data from testing are used to determine the effectiveness of incident response processes;
+quantitative data from testing are used to determine the effectiveness of incident response processes;
+qualitative data from testing are used to continuously improve incident response processes;
+quantitative data from testing are used to continuously improve incident response processes;
+qualitative data from testing are used to provide incident response measures and metrics that are accurate;
+quantitative data from testing are used to provide incident response measures and metrics that are accurate;
+qualitative data from testing are used to provide incident response measures and metrics that are consistent;
+quantitative data from testing are used to provide incident response measures and metrics that are consistent;
+qualitative data from testing are used to provide incident response measures and metrics in a reproducible format;
+quantitative data from testing are used to provide incident response measures and metrics in a reproducible format.
+an incident handling capability for incidents is implemented that is consistent with the incident response plan;
+the incident handling capability for incidents includes preparation;
+the incident handling capability for incidents includes detection and analysis;
+the incident handling capability for incidents includes containment;
+the incident handling capability for incidents includes eradication;
+the incident handling capability for incidents includes recovery;
+incident handling activities are coordinated with contingency planning activities;
+lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;
+the changes resulting from the incorporated lessons learned are implemented accordingly;
+the rigor of incident handling activities is comparable and predictable across the organization;
+the intensity of incident handling activities is comparable and predictable across the organization;
+the scope of incident handling activities is comparable and predictable across the organization;
+the results of incident handling activities are comparable and predictable across the organization.
+the incident handling process is supported using
incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.
+a configurable capability is implemented to automatically disable the system if
an incident handling capability is implemented for incidents involving insider threats.
+an incident handling capability is coordinated for insider threats;
+the coordinated incident handling capability includes
there is coordination with
incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain.
+an integrated incident response team is established and maintained;
+the integrated incident response team can be deployed to any location identified by the organization in
malicious code remaining in the system is analyzed after the incident;
+other residual artifacts remaining in the system (if any) are analyzed after the incident.
+anomalous or suspected adversarial behavior in or related to
a security operations center is established;
+a security operations center is maintained.
+public relations associated with an incident are managed;
+measures are employed to repair the reputation of the organization.
+incidents are tracked;
+incidents are documented.
+incidents are tracked using
incident information is collected using
incident information is analyzed using
personnel is/are required to report suspected incidents to the organizational incident response capability within
incident information is reported to
incidents are reported using
system vulnerabilities associated with reported incidents are reported to
incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
+an incident response support resource, integral to the organizational incident response capability, is provided;
+the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.
+the availability of incident response information and support is increased using
a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability;
+organizational incident response team members are identified to the external providers.
+an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;
+an incident response plan is developed that describes the structure and organization of the incident response capability;
+an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;
+an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;
+an incident response plan is developed that defines reportable incidents;
+an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;
+an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;
+an incident response plan is developed that addresses the sharing of incident information;
+an incident response plan is developed that is reviewed and approved by
an incident response plan is developed that explicitly designates responsibility for incident response to
copies of the incident response plan are distributed to
copies of the incident response plan are distributed to
the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
+incident response plan changes are communicated to
incident response plan changes are communicated to
the incident response plan is protected from unauthorized disclosure;
+the incident response plan is protected from unauthorized modification.
+the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
+the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;
+the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.
+the specific information involved in the system contamination is identified in response to information spills;
+the contaminated system or system component is isolated in response to information spills;
+the information is eradicated from the contaminated system or component in response to information spills;
+other systems or system components that may have been subsequently contaminated are identified in response to information spills;
+information spillage response training is provided
a maintenance policy is developed and documented;
+the maintenance policy is disseminated to
maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;
+the maintenance procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current maintenance policy is reviewed and updated
the current maintenance policy is reviewed and updated following
the current maintenance procedures are reviewed and updated
the current maintenance procedures are reviewed and updated following
maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;
+maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;
+records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;
+all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;
+all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;
+equipment is sanitized to remove
all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;
+up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.
+up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.
+up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.
+the use of system maintenance tools is approved;
+the use of system maintenance tools is controlled;
+the use of system maintenance tools is monitored;
+previously approved system maintenance tools are reviewed
maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.
+media containing diagnostic and test programs are checked for malicious code before the media are used in the system.
+the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or
+the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or
+the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or
+the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from
the use of maintenance tools is restricted to authorized personnel only.
+the use of maintenance tools that execute with increased privilege is monitored.
+maintenance tools are inspected to ensure that the latest software updates and patches are installed.
+nonlocal maintenance and diagnostic activities are approved;
+nonlocal maintenance and diagnostic activities are monitored;
+the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;
+the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;
+strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;
+records for nonlocal maintenance and diagnostic activities are maintained;
+session connections are terminated when nonlocal maintenance is completed;
+network connections are terminated when nonlocal maintenance is completed.
+the audit records of the maintenance sessions are reviewed to detect anomalous behavior;
+the audit records of the diagnostic sessions are reviewed to detect anomalous behavior.
+nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;
+nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or
+the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;
+the component to be serviced is sanitized (for organizational information);
+the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.
+nonlocal maintenance sessions are protected by employing
nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths; or
+nonlocal maintenance sessions are protected by logically separated communication paths.
+the approval of each nonlocal maintenance session is required by
session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions;
+network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions.
+a process for maintenance personnel authorization is established;
+a list of authorized maintenance organizations or personnel is maintained;
+non-escorted personnel performing maintenance on the system possess the required access authorizations;
+organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.
+procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;
+procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;
+personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances for at least the highest classification level and for compartments of information on the system;
+personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess formal access approvals for at least the highest classification level and for compartments of information on the system.
+personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.
+foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments or owned and operated solely by foreign allied governments;
+approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;
+consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;
+detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.
+non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations.
+maintenance support and/or spare parts are obtained for
preventive maintenance is performed on
predictive maintenance is performed on
predictive maintenance data is transferred to a maintenance management system using
field maintenance on
a media protection policy is developed and documented;
+the media protection policy is disseminated to
media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;
+the media protection procedures are disseminated to
the
the
the
the
the
the
the
the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+the
the current media protection policy is reviewed and updated
the current media protection policy is reviewed and updated following
the current media protection procedures are reviewed and updated
the current media protection procedures are reviewed and updated following
access to
access to
system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;
+system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
+access to media storage areas is restricted using
access attempts to media storage areas are logged using
access granted to media storage areas is logged using
accountability for system media is maintained during transport outside of controlled areas;
+activities associated with the transport of system media are documented;
+personnel authorized to conduct media transport activities is/are identified;
+activities associated with the transport of system media are restricted to identified authorized personnel.
+a custodian to transport system media outside of controlled areas is identified;
+the identified custodian is employed during the transport of system media outside of controlled areas.
+sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.
+media sanitization and disposal actions are reviewed;
+media sanitization and disposal actions are approved;
+media sanitization and disposal actions are tracked;
+media sanitization and disposal actions are documented;
+media sanitization and disposal actions are verified.
+sanitization equipment is tested
sanitization procedures are tested
non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under
dual authorization for sanitization of
the capability to purge or wipe information from
the use of
the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.
+sanitization-resistant media is identified;
+the use of sanitization-resistant media in organizational systems is prohibited.
+a
the
there is verification that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed;
+there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information;
+the identified system media is downgraded using the
system media downgrading actions are documented.
+downgrading equipment is tested
downgrading procedures are tested
system media containing controlled unclassified information is identified;
+system media containing controlled unclassified information is downgraded prior to public release.
+system media containing classified information is identified;
+system media containing classified information is downgraded prior to release to individuals without required access authorizations.
+a physical and environmental protection policy is developed and documented;
+the physical and environmental protection policy is disseminated to
physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;
+the physical and environmental protection procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current physical and environmental protection policy is reviewed and updated
the current physical and environmental protection policy is reviewed and updated following
the current physical and environmental protection procedures are reviewed and updated
the current physical and environmental protection procedures are reviewed and updated following
a list of individuals with authorized access to the facility where the system resides has been developed;
+the list of individuals with authorized access to the facility where the system resides has been approved;
+the list of individuals with authorized access to the facility where the system resides has been maintained;
+authorization credentials are issued for facility access;
+the access list detailing authorized facility access by individuals is reviewed
individuals are removed from the facility access list when access is no longer required.
+physical access to the facility where the system resides is authorized based on position or role.
+two forms of identification are required from
unescorted access to the facility where the system resides is restricted to personnel with
physical access authorizations are enforced at
physical access authorizations are enforced at
physical access audit logs are maintained for
access to areas within the facility designated as publicly accessible are maintained by implementing
visitors are escorted;
+visitor activity is controlled
keys are secured;
+combinations are secured;
+other physical access devices are secured;
+combinations are changed
keys are changed
physical access authorizations to the system are enforced;
+physical access controls are enforced for the facility at
security checks are performed
guards are employed to control
lockable physical casings are used to protect
physical barriers are used to limit access.
+access control vestibules are employed at
physical access to
physical access to output from
individual identity is linked to the receipt of output from output devices.
+physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;
+physical access logs are reviewed
physical access logs are reviewed upon occurrence of
results of reviews are coordinated with organizational incident response capabilities;
+results of investigations are coordinated with organizational incident response capabilities.
+physical access to the facility where the system resides is monitored using physical intrusion alarms;
+physical access to the facility where the system resides is monitored using physical surveillance equipment.
+video surveillance of
video recordings are reviewed
video recordings are retained for
physical access to the system is monitored in addition to the physical access monitoring of the facility at
visitor access records for the facility where the system resides are maintained for
visitor access records are reviewed
visitor access records anomalies are reported to
visitor access records are maintained using
visitor access records are reviewed using
personally identifiable information contained in visitor access records is limited to
power equipment for the system is protected from damage and destruction;
+power cabling for the system is protected from damage and destruction.
+redundant power cabling paths that are physically separated by
automatic voltage controls for
the capability to shut off power to
emergency shutoff switches or devices are placed in
the emergency power shutoff capability is protected from unauthorized activation.
+an uninterruptible power supply is provided to facilitate
an alternate power supply provided for the system is activated
the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.
+the alternate power supply provided for the system is self-contained;
+the alternate power supply provided for the system is not reliant on external power generation;
+the alternate power supply provided for the system is capable of maintaining
automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;
+automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;
+automatic emergency lighting for the system covers emergency exits within the facility;
+automatic emergency lighting for the system covers evacuation routes within the facility.
+emergency lighting is provided for all areas within the facility supporting essential mission and business functions.
+fire detection systems are employed;
+employed fire detection systems are supported by an independent energy source;
+employed fire detection systems are maintained;
+fire suppression systems are employed;
+employed fire suppression systems are supported by an independent energy source;
+employed fire suppression systems are maintained.
+fire detection systems that activate automatically are employed in the event of a fire;
+fire detection systems that notify
fire detection systems that notify
fire suppression systems that activate automatically are employed;
+fire suppression systems that notify
fire suppression systems that notify
an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.
+the facility undergoes fire protection inspections
the identified deficiencies from fire protection inspections are resolved within
environmental control levels are monitored
environmental control monitoring is employed;
+the environmental control monitoring capability provides an alarm or notification to
the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;
+the master shutoff or isolation valves are accessible;
+the master shutoff or isolation valves are working properly;
+the master shutoff or isolation valves are known to key personnel.
+the presence of water near the system can be detected automatically;
+records of the system components are maintained.
+the effectiveness of controls at alternate work sites is assessed;
+a means for employees to communicate with information security and privacy personnel in case of incidents is provided.
+system components are positioned within the facility to minimize potential damage from
the system is protected from information leakage due to electromagnetic signal emanations.
+system components are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;
+associated data communications are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;
+networks are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information.
+the location or site of the facility where the system resides is planned considering physical and environmental hazards;
+for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.
+a planning policy is developed and documented.
+the planning policy is disseminated to
planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;
+the planning procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current planning policy is reviewed and updated
the current planning policy is reviewed and updated following
the current planning procedures are reviewed and updated
the current planning procedures are reviewed and updated following
a security plan for the system is developed that is consistent with the organization’s enterprise architecture;
+a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;
+a security plan for the system is developed that explicitly defines the constituent system components;
+a privacy plan for the system is developed that explicitly defines the constituent system components;
+a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+a security plan for the system is developed that provides an overview of the security requirements for the system;
+a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;
+a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;
+a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;
+a security plan for the system is developed that includes risk determinations for security architecture and design decisions;
+a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;
+a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with
a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with
a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
+a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
+copies of the plans are distributed to
subsequent changes to the plans are communicated to
plans are reviewed
plans are updated to address changes to the system and environment of operations;
+plans are updated to address problems identified during the plan implementation;
+plans are updated to address problems identified during control assessments;
+plans are protected from unauthorized disclosure;
+plans are protected from unauthorized modification.
+rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;
+rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;
+before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;
+rules of behavior are reviewed and updated
individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge
the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;
+the rules of behavior include restrictions on posting organizational information on public websites;
+the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
+a CONOPS for the system describing how the organization intends to operate the system from the perspective of information security and privacy is developed;
+the CONOPS is reviewed and updated
a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
+a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
+a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;
+a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;
+a security architecture for the system describes any assumptions about and dependencies on external systems and services;
+a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;
+changes in the enterprise architecture are reviewed and updated
planned architecture changes are reflected in the security plan;
+planned architecture changes are reflected in the privacy plan;
+planned architecture changes are reflected in the Concept of Operations (CONOPS);
+planned architecture changes are reflected in criticality analysis;
+planned architecture changes are reflected in organizational procedures;
+planned architecture changes are reflected in procurements and acquisitions.
+the security architecture for the system is designed using a defense-in-depth approach that allocates
the privacy architecture for the system is designed using a defense-in-depth approach that allocates
the security architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner;
+the privacy architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner.
+a control baseline for the system is selected.
+the selected control baseline is tailored by applying specified tailoring actions.
+an organization-wide information security program plan is developed;
+the information security program plan is disseminated;
+the information security program plan provides an overview of the requirements for the security program;
+the information security program plan provides a description of the security program management controls in place or planned for meeting those requirements;
+the information security program plan provides a description of the common controls in place or planned for meeting those requirements;
+the information security program plan includes the identification and assignment of roles;
+the information security program plan includes the identification and assignment of responsibilities;
+the information security program plan addresses management commitment;
+the information security program plan addresses coordination among organizational entities;
+the information security program plan addresses compliance;
+the information security program plan reflects the coordination among the organizational entities responsible for information security;
+the information security program plan is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
+the information security program plan is reviewed and updated
the information security program plan is reviewed and updated following
the information security program plan is protected from unauthorized disclosure;
+the information security program plan is protected from unauthorized modification.
+a senior agency information security officer is appointed;
+the senior agency information security officer is provided with the mission and resources to coordinate an organization-wide information security program;
+the senior agency information security officer is provided with the mission and resources to develop an organization-wide information security program;
+the senior agency information security officer is provided with the mission and resources to implement an organization-wide information security program;
+the senior agency information security officer is provided with the mission and resources to maintain an organization-wide information security program.
+the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;
+the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;
+the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;
+the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;
+information security resources are made available for expenditure as planned;
+privacy resources are made available for expenditure as planned.
+a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;
+a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;
+a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;
+a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;
+a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;
+a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;
+a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;
+a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;
+a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;
+a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;
+a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;
+a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;
+plans of action and milestones are reviewed for consistency with the organizational risk management strategy;
+plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions.
+an inventory of organizational systems is developed;
+the inventory of organizational systems is updated
an inventory of all systems, applications, and projects that process personally identifiable information is established;
+an inventory of all systems, applications, and projects that process personally identifiable information is maintained;
+an inventory of all systems, applications, and projects that process personally identifiable information is updated
information security measures of performance are developed;
+information security measures of performance are monitored;
+the results of information security measures of performance are reported;
+privacy measures of performance are developed;
+privacy measures of performance are monitored;
+the results of privacy measures of performance are reported.
+an enterprise architecture is developed with consideration for information security;
+an enterprise architecture is maintained with consideration for information security;
+an enterprise architecture is developed with consideration for privacy;
+an enterprise architecture is maintained with consideration for privacy;
+an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;
+an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.
+information security issues are addressed in the development of a critical infrastructure and key resources protection plan;
+information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;
+information security issues are addressed in the update of a critical infrastructure and key resources protection plan;
+privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;
+privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;
+privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.
+a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;
+a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;
+the risk management strategy is implemented consistently across the organization;
+the risk management strategy is reviewed and updated
the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;
+the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;
+individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;
+the authorization processes are integrated into an organization-wide risk management program.
+organizational mission and business processes are defined with consideration for information security;
+organizational mission and business processes are defined with consideration for privacy;
+organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;
+information protection needs arising from the defined mission and business processes are determined;
+personally identifiable information processing needs arising from the defined mission and business processes are determined;
+the mission and business processes are reviewed and revised
an insider threat program that includes a cross-discipline insider threat incident handling team is implemented.
+a security workforce development and improvement program is established;
+a privacy workforce development and improvement program is established.
+a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;
+a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;
+a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;
+a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;
+a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;
+a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;
+testing plans are reviewed for consistency with the organizational risk management strategy;
+training plans are reviewed for consistency with the organizational risk management strategy;
+monitoring plans are reviewed for consistency with the organizational risk management strategy;
+testing plans are reviewed for consistency with organization-wide priorities for risk response actions;
+training plans are reviewed for consistency with organization-wide priorities for risk response actions;
+monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.
+contact is established and institutionalized with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel;
+contact is established and institutionalized with selected groups and associations within the privacy community to facilitate ongoing privacy education and training for organizational personnel;
+contact is established and institutionalized with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies;
+contact is established and institutionalized with selected groups and associations within the privacy community to maintain currency with recommended privacy practices, techniques, and technologies;
+contact is established and institutionalized with selected groups and associations within the security community to share current security information, including threats, vulnerabilities, and incidents;
+contact is established and institutionalized with selected groups and associations within the privacy community to share current privacy information, including threats, vulnerabilities, and incidents.
+a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented.
+automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information.
+policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;
+procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;
+policy is reviewed and updated
procedures are reviewed and updated
an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;
+the privacy program plan includes a description of the structure of the privacy program;
+the privacy program plan includes a description of the resources dedicated to the privacy program;
+the privacy program plan provides an overview of the requirements for the privacy program;
+the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;
+the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;
+the privacy program plan includes the role of the senior agency official for privacy;
+the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;
+the privacy program plan describes management commitment;
+the privacy program plan describes compliance;
+the privacy program plan describes the strategic goals and objectives of the privacy program;
+the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;
+the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
+the privacy program plan is disseminated;
+the privacy program plan is updated
the privacy program plan is updated to address changes in federal privacy laws and policies;
+the privacy program plan is updated to address organizational changes;
+the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.
+a senior agency official for privacy with authority, mission, accountability, and resources is appointed;
+the senior agency official for privacy coordinates applicable privacy requirements;
+the senior agency official for privacy develops applicable privacy requirements;
+the senior agency official for privacy implements applicable privacy requirements;
+the senior agency official for privacy manages privacy risks through the organization-wide privacy program.
+a central resource webpage is maintained on the organization’s principal public website;
+the webpage serves as a central source of information about the organization’s privacy program;
+the webpage ensures that the public has access to information about organizational privacy activities;
+the webpage ensures that the public can communicate with its senior agency official for privacy;
+the webpage ensures that organizational privacy practices are publicly available;
+the webpage ensures that organizational privacy reports are publicly available;
+the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.
+privacy policies are developed and posted on all external-facing websites;
+privacy policies are developed and posted on all mobile applications;
+privacy policies are developed and posted on all other digital services;
+the privacy policies are written in plain language;
+the privacy policies are organized in a way that is easy to understand and navigate;
+the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;
+the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;
+the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;
+the privacy policies include a time/date stamp to inform the public of the date of the most recent changes.
+the accounting includes the date of each disclosure;
+the accounting includes the nature of each disclosure;
+the accounting includes the purpose of each disclosure;
+the accounting includes the name of the individual or organization to whom the disclosure was made;
+the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;
+the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;
+the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request.
+organization-wide policies for personally identifiable information quality management are developed and documented;
+organization-wide procedures for personally identifiable information quality management are developed and documented;
+the policies address reviewing the accuracy of personally identifiable information across the information life cycle;
+the policies address reviewing the relevance of personally identifiable information across the information life cycle;
+the policies address reviewing the timeliness of personally identifiable information across the information life cycle;
+the policies address reviewing the completeness of personally identifiable information across the information life cycle;
+the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;
+the procedures address reviewing the relevance of personally identifiable information across the information life cycle;
+the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;
+the procedures address reviewing the completeness of personally identifiable information across the information life cycle;
+the policies address correcting or deleting inaccurate or outdated personally identifiable information;
+the procedures address correcting or deleting inaccurate or outdated personally identifiable information;
+the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;
+the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;
+the policies address appeals of adverse decisions on correction or deletion requests;
+the procedures address appeals of adverse decisions on correction or deletion requests.
+a Data Governance Body consisting of
the Data Integrity Board reviews proposals to conduct or participate in a matching program;
+the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated.
+policies that address the use of personally identifiable information for internal testing are developed and documented;
+policies that address the use of personally identifiable information for internal training are developed and documented;
+policies that address the use of personally identifiable information for internal research are developed and documented;
+procedures that address the use of personally identifiable information for internal testing are developed and documented;
+procedures that address the use of personally identifiable information for internal training are developed and documented;
+procedures that address the use of personally identifiable information for internal research are developed and documented;
+policies that address the use of personally identifiable information for internal testing, are implemented;
+policies that address the use of personally identifiable information for training are implemented;
+policies that address the use of personally identifiable information for research are implemented;
+procedures that address the use of personally identifiable information for internal testing are implemented;
+procedures that address the use of personally identifiable information for training are implemented;
+procedures that address the use of personally identifiable information for research are implemented;
+the amount of personally identifiable information used for internal testing purposes is limited or minimized;
+the amount of personally identifiable information used for internal training purposes is limited or minimized;
+the amount of personally identifiable information used for internal research purposes is limited or minimized;
+the required use of personally identifiable information for internal testing is authorized;
+the required use of personally identifiable information for internal training is authorized;
+the required use of personally identifiable information for internal research is authorized;
+policies are reviewed
policies are updated
procedures are reviewed
procedures are updated
a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;
+a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;
+the complaint management process includes mechanisms that are easy to use by the public;
+the complaint management process includes mechanisms that are readily accessible by the public;
+the complaint management process includes all information necessary for successfully filing complaints;
+the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within
the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within
the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within
the complaint management process includes responding to complaints, concerns, or questions from individuals within
the privacy reports are disseminated to
the privacy reports are disseminated to
the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;
+the privacy reports are reviewed and updated
assumptions affecting risk assessments are identified and documented;
+assumptions affecting risk responses are identified and documented;
+assumptions affecting risk monitoring are identified and documented;
+constraints affecting risk assessments are identified and documented;
+constraints affecting risk responses are identified and documented;
+constraints affecting risk monitoring are identified and documented;
+priorities considered by the organization for managing risk are identified and documented;
+trade-offs considered by the organization for managing risk are identified and documented;
+organizational risk tolerance is identified and documented;
+the results of risk framing activities are distributed to
risk framing considerations are reviewed and updated
a Senior Accountable Official for Risk Management is appointed;
+a Senior Accountable Official for Risk Management aligns information security and privacy management processes with strategic, operational, and budgetary planning processes;
+a Risk Executive (function) is established;
+a Risk Executive (function) views and analyzes risk from an organization-wide perspective;
+a Risk Executive (function) ensures that the management of risk is consistent across the organization.
+an organization-wide strategy for managing supply chain risks is developed;
+the supply chain risk management strategy addresses risks associated with the development of systems;
+the supply chain risk management strategy addresses risks associated with the development of system components;
+the supply chain risk management strategy addresses risks associated with the development of system services;
+the supply chain risk management strategy addresses risks associated with the acquisition of systems;
+the supply chain risk management strategy addresses risks associated with the acquisition of system components;
+the supply chain risk management strategy addresses risks associated with the acquisition of system services;
+the supply chain risk management strategy addresses risks associated with the maintenance of systems;
+the supply chain risk management strategy addresses risks associated with the maintenance of system components;
+the supply chain risk management strategy addresses risks associated with the maintenance of system services;
+the supply chain risk management strategy addresses risks associated with the disposal of systems;
+the supply chain risk management strategy addresses risks associated with the disposal of system components;
+the supply chain risk management strategy addresses risks associated with the disposal of system services;
+the supply chain risk management strategy is implemented consistently across the organization;
+the supply chain risk management strategy is reviewed and updated
suppliers of critical or mission-essential technologies, products, and services are identified;
+suppliers of critical or mission-essential technologies, products, and services are prioritized;
+suppliers of critical or mission-essential technologies, products, and services are assessed.
+continuous monitoring programs are implemented that include establishing
continuous monitoring programs are implemented that establish
continuous monitoring programs are implemented that establish
continuous monitoring programs are implemented that include monitoring
continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;
+continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;
+continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;
+continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;
+continuous monitoring programs are implemented that include reporting the security status of organizational systems to
continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to
a personnel security policy is developed and documented;
+the personnel security policy is disseminated to
personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;
+the personnel security procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current personnel security policy is reviewed and updated
the current personnel security policy is reviewed and updated following
the current personnel security procedures are reviewed and updated
the current personnel security procedures are reviewed and updated following
a risk designation is assigned to all organizational positions;
+screening criteria are established for individuals filling organizational positions;
+position risk designations are reviewed and updated
individuals are screened prior to authorizing access to the system;
+individuals are rescreened in accordance with
where rescreening is so indicated, individuals are rescreened
individuals accessing a system processing, storing, or transmitting classified information are cleared;
+individuals accessing a system processing, storing, or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system.
+individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination are formally indoctrinated for all of the relevant types of information to which they have access on the system.
+individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;
+individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy
individuals accessing a system processing, storing, or transmitting
upon termination of individual employment, system access is disabled within
upon termination of individual employment, any authenticators and credentials are terminated or revoked;
+upon termination of individual employment, exit interviews that include a discussion of
upon termination of individual employment, all security-related organizational system-related property is retrieved;
+upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.
+terminated individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;
+terminated individuals are required to sign an acknowledgement of post-employment requirements as part of the organizational termination process.
+the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;
+access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;
+access agreements are developed and documented for organizational systems;
+the access agreements are reviewed and updated
individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;
+individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or
access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties;
+access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria;
+access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a non-disclosure agreement.
+individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;
+individuals are required to sign an acknowledgement of applicable, legally binding post-employment requirements as part of being granted initial access to covered information.
+personnel security requirements are established, including security roles and responsibilities for external providers;
+external providers are required to comply with personnel security policies and procedures established by the organization;
+personnel security requirements are documented;
+external providers are required to notify
provider compliance with personnel security requirements is monitored.
+a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;
+security roles and responsibilities are incorporated into organizational position descriptions;
+privacy roles and responsibilities are incorporated into organizational position descriptions.
+a personally identifiable information processing and transparency policy is developed and documented;
+the personally identifiable information processing and transparency policy is disseminated to
personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;
+the personally identifiable information processing and transparency procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current personally identifiable information processing and transparency policy is reviewed and updated
the current personally identifiable information processing and transparency policy is reviewed and updated following
the current personally identifiable information processing and transparency procedures are reviewed and updated
the current personally identifiable information processing and transparency procedures are reviewed and updated following
the
the
data tags containing
enforcement of the authorized processing of personally identifiable information is managed using
the
the purpose(s) is/are described in the public privacy notices of the organization;
+the purpose(s) is/are described in the policies of the organization;
+the
changes in the processing of personally identifiable information are monitored;
+data tags containing
the processing purposes of personally identifiable information are tracked using
the
the
a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;
+a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals
a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;
+a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;
+a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;
+a notice to individuals about the processing of personally identifiable information which includes
a notice of personally identifiable information processing is presented to individuals at a time and location where the individual provides personally identifiable information, in conjunction with a data action, or
Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals.
+system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;
+new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;
+system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;
+system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records.
+all routine uses published in the system of records notice are reviewed
all Privacy Act exemptions claimed for the system of records are reviewed
all Privacy Act exemptions claimed for the system of records are reviewed
all Privacy Act exemptions claimed for the system of records are reviewed
when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;
+when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;
+when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;
+when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;
+when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;
+when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it.
+the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.
+approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;
+a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;
+a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;
+a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;
+the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;
+individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;
+individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program.
+a risk assessment policy is developed and documented;
+the risk assessment policy is disseminated to
risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;
+the risk assessment procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current risk assessment policy is reviewed and updated
the current risk assessment policy is reviewed and updated following
the current risk assessment procedures are reviewed and updated
the current risk assessment procedures are reviewed and updated following
the system and the information it processes, stores, and transmits are categorized;
+the security categorization results, including supporting rationale, are documented in the security plan for the system;
+the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
+an impact-level prioritization of organizational systems is conducted to obtain additional granularity on system impact levels.
+a risk assessment is conducted to identify threats to and vulnerabilities in the system;
+a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;
+a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
+risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;
+risk assessment results are documented in
risk assessment results are reviewed
risk assessment results are disseminated to
the risk assessment is updated
supply chain risks associated with
the supply chain risk assessment is updated
all-source intelligence is used to assist in the analysis of risk.
+the current cyber threat environment is determined on an ongoing basis using
systems and hosted applications are monitored for vulnerabilities
systems and hosted applications are scanned for vulnerabilities
vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;
+vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;
+vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;
+vulnerability scan reports and results from vulnerability monitoring are analyzed;
+legitimate vulnerabilities are remediated
information obtained from the vulnerability monitoring process and control assessments is shared with
vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.
+the system vulnerabilities to be scanned are updated
the breadth and depth of vulnerability scanning coverage are defined.
+information about the system is discoverable;
+privileged access authorization is implemented to
the results of multiple vulnerability scans are compared using
historic audit logs are reviewed to determine if a vulnerability identified in a
the output from vulnerability scanning tools is correlated to determine the presence of multi-vulnerability and multi-hop attack vectors.
+a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.
+a technical surveillance countermeasures survey is employed at
findings from security assessments are responded to in accordance with organizational risk tolerance;
+findings from privacy assessments are responded to in accordance with organizational risk tolerance;
+findings from monitoring are responded to in accordance with organizational risk tolerance;
+findings from audits are responded to in accordance with organizational risk tolerance.
+privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;
+privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;
+privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.
+critical system components and functions are identified by performing a criticality analysis for
a cyber threat capability is established and maintained to search for indicators of compromise in organizational systems;
+a cyber threat capability is established and maintained to detect, track, and disrupt threats that evade existing controls;
+the threat hunting capability is employed
a system and services acquisition policy is developed and documented;
+the system and services acquisition policy is disseminated to
system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;
+the system and services acquisition procedures are disseminated to
the
the
the
the
the
the
the
the
the
the system and services acquisition policy is reviewed and updated
the current system and services acquisition policy is reviewed and updated following
the current system and services acquisition procedures are reviewed and updated
the current system and services acquisition procedures are reviewed and updated following
the high-level information security requirements for the system or system service are determined in mission and business process planning;
+the high-level privacy requirements for the system or system service are determined in mission and business process planning;
+the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;
+the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;
+a discrete line item for information security is established in organizational programming and budgeting documentation;
+a discrete line item for privacy is established in organizational programming and budgeting documentation.
+the system is acquired, developed, and managed using
the system is acquired, developed, and managed using
information security roles and responsibilities are defined and documented throughout the system development life cycle;
+privacy roles and responsibilities are defined and documented throughout the system development life cycle;
+individuals with information security roles and responsibilities are identified;
+individuals with privacy roles and responsibilities are identified;
+organizational information security risk management processes are integrated into system development life cycle activities;
+organizational privacy risk management processes are integrated into system development life cycle activities.
+system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component, or system service.
+the use of live data in pre-production environments is approved for the system, system component, or system service;
+the use of live data in pre-production environments is documented for the system, system component, or system service;
+the use of live data in pre-production environments is controlled for the system, system component, or system service;
+pre-production environments for the system, system component, or system service are protected at the same impact or classification level as any live data in use within the pre-production environments.
+a technology refresh schedule is planned for the system throughout the system development life cycle;
+a technology refresh schedule is implemented for the system throughout the system development life cycle.
+security functional requirements, descriptions, and criteria are included explicitly or by reference using
privacy functional requirements, descriptions, and criteria are included explicitly or by reference using
strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using
security assurance requirements, descriptions, and criteria are included explicitly or by reference using
privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using
controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using
controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using
security documentation requirements, descriptions, and criteria are included explicitly or by reference using
privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using
requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using
requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using
the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using
the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using
the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using
the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using
acceptance criteria requirements and descriptions are included explicitly or by reference using
the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.
+the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using
the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes
the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes
the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes
the developer of the system, system component, or system service is required to deliver the system, component, or service with
the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.
+only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted are employed;
+these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
+the use of commercially provided information assurance and information assurance-enabled information technology products is limited to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists;
+if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that cryptographic module is required to be FIPS-validated or NSA-approved.
+the developer of the system, system component, or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.
+the developer of the system, system component, or system service is required to identify the functions intended for organizational use;
+the developer of the system, system component, or system service is required to identify the ports intended for organizational use;
+the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;
+the developer of the system, system component, or system service is required to identify the services intended for organizational use.
+only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.
+organizational data ownership requirements are included in the acquisition contract;
+all data to be removed from the contractor’s system and returned to the organization is required within
administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;
+administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;
+administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;
+administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;
+administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;
+administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;
+administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;
+administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;
+administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;
+user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;
+user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;
+user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;
+user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;
+user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;
+user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;
+user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;
+user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;
+attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;
+after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent,
documentation is distributed to
the security design principle of clear abstractions is implemented.
+the privacy principle of minimization is implemented using
providers of external system services comply with organizational security requirements;
+providers of external system services comply with organizational privacy requirements;
+providers of external system services employ
organizational oversight with regard to external system services are defined and documented;
+user roles and responsibilities with regard to external system services are defined and documented;
+an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;
+providers of
trust relationships with external service provides based on
trust relationships with external service provides based on
trust relationships with external service provides based on
trust relationships with external service provides based on
based on
exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system.
+the capability is provided to check the integrity of information while it resides in the external system.
+the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States.
+the developer of the system, system component, or system service is required to perform configuration management during system, component, or service
the developer of the system, system component, or system service is required to document the integrity of changes to
the developer of the system, system component, or system service is required to manage the integrity of changes to
the developer of the system, system component, or system service is required to control the integrity of changes to
the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;
+the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;
+the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;
+the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;
+the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;
+the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;
+the developer of the system, system component, or system service is required to report findings to
the developer of the system, system component, or system service is required to enable integrity verification of software and firmware components.
+an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team.
+the developer of the system, system component, or system service is required to enable integrity verification of hardware components.
+the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions;
+the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of source code with previous versions;
+the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of object code with previous versions.
+the developer of the system, system component, or system service is required to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.
+the developer of the system, system component, or system service is required to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.
+the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;
+the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;
+the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;
+the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;
+the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform
the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;
+the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;
+the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;
+the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.
+the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;
+the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.
+the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses
the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses
the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses
the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses
the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs
the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs
the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs
the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs
the developer of the system, system component, or system service is required to perform threat modeling at
the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at
the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets
the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets
the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets
the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets
an independent agent is required to satisfy
an independent agent is required to satisfy
the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.
+the developer of the system, system component, or system service is required to perform a manual code review of
the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor:
the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor:
the developer of the system, system component, or system service is required to perform penetration testing under
the developer of the system, system component, or system service is required to perform attack surface reviews.
+the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at
the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at
the developer of the system, system component, or system service is required to employ dynamic code analysis tools to identify common flaws;
+the developer of the system, system component, or system service is required to document the results of the analysis.
+the developer of the system, system component, or system service is required to employ interactive application security testing tools to identify flaws;
+the developer of the system, system component, or system service is required to document the results of flaw identification.
+the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;
+the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;
+the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;
+the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;
+the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;
+the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;
+the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;
+the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed
the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed
the developer of the system, system component, or system service is required to define quality metrics at the beginning of the development process;
+the developer of the system, system component, or system service is required to provide evidence of meeting the quality metrics
the developer of the system, system component, or system service is required to select and employ security tracking tools for use during the development process;
+the developer of the system, system component, or system service is required to select and employ privacy tracking tools for use during the development process.
+the developer of the system, system component, or system service is required to perform a criticality analysis at
the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level:
the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level:
the developer of the system, system component, or system service is required to reduce attack surfaces to
the developer of the system, system component, or system service is required to implement an explicit process to continuously improve the development process.
+the developer of the system, system component, or system service is required to perform automated vulnerability analysis
the developer of the system, system component, or system service is required to determine the exploitation potential for discovered vulnerabilities
the developer of the system, system component, or system service is required to determine potential risk mitigations
the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis
the developer of the system, system component, or system service is required to use threat modeling from similar systems, components, or services to inform the current development process;
+the developer of the system, system component, or system service is required to use vulnerability analyses from similar systems, components, or services to inform the current development process.
+the developer of the system, system component, or system service is required to provide an incident response plan;
+the developer of the system, system component, or system service is required to implement an incident response plan;
+the developer of the system, system component, or system service is required to test an incident response plan.
+the developer of the system or system component is required to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.
+the developer of the system or system component is required to minimize the use of personally identifiable information in development and test environments.
+the developer of the system, system component, or system service is required to provide
the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;
+the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;
+the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;
+the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;
+the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;
+the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.
+as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the
as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the
the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented;
+the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented.
+the developer of the system, system component, or system service is required to define security-relevant hardware;
+the developer of the system, system component, or system service is required to define security-relevant software;
+the developer of the system, system component, or system service is required to define security-relevant firmware;
+the developer of the system, system component, or system service is required to provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.
+as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;
+as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;
+as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;
+the developer of the system, system component, or system service is required to show proof that the formal top-level specification is consistent with the formal policy model to the extent feasible with additional informal demonstration as necessary;
+the developer of the system, system component, or system service is required to show via informal demonstration that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
+the developer of the system, system component, or system service is required to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware;
+the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the formal top-level specification but are strictly internal to the security-relevant hardware, software, and firmware.
+as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;
+as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;
+as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;
+the developer of the system, system component, or system service is required to show via
the developer of the system, system component, or system service is required to show via informal demonstration that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
+the developer of the system, system component, or system service is required to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware;
+the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the descriptive top-level specification but are strictly internal to the security-relevant hardware, software, and firmware.
+the developer of the system, system component, or system service is required to design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics;
+the developer of the system, system component, or system service is required to internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.
+the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate testing.
+the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.
+different designs are used for
the developer of
the developer of
system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;
+a system and communications protection policy is developed and documented;
+the system and communications protection policy is disseminated to
system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;
+the system and communications protection procedures are disseminated to
the
the
the
the
the
the
the
the
the
the current system and communications protection policy is reviewed and updated
the current system and communications protection policy is reviewed and updated following
the current system and communications protection procedures are reviewed and updated
the current system and communications protection procedures are reviewed and updated following
user functionality, including user interface services, is separated from system management functionality.
+the presentation of system management functionality is prevented at interfaces to non-privileged users.
+state information is stored separately from applications and software.
+security functions are isolated from non-security functions.
+hardware separation mechanisms are employed to implement security function isolation.
+security functions enforcing access control are isolated from non-security functions;
+security functions enforcing access control are isolated from other security functions;
+security functions enforcing information flow control are isolated from non-security functions;
+security functions enforcing information flow control are isolated from other security functions.
+the number of non-security functions included within the isolation boundary containing security functions is minimized.
+security functions are implemented as largely independent modules that maximize internal cohesiveness within modules;
+security functions are implemented as largely independent modules that minimize coupling between modules.
+security functions are implemented as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
+unauthorized information transfer via shared system resources is prevented;
+unintended information transfer via shared system resources is prevented.
+unauthorized information transfer via shared resources is prevented in accordance with
the effects of
the ability of individuals to launch
capacity, bandwidth, or other redundancies to limit the effects of information flooding denial-of-service attacks are managed.
+the availability of resources is protected by allocating
communications at external managed interfaces to the system are monitored;
+communications at external managed interfaces to the system are controlled;
+communications at key internal managed interfaces within the system are monitored;
+communications at key internal managed interfaces within the system are controlled;
+subnetworks for publicly accessible system components are
external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
+the number of external network connections to the system is limited.
+a managed interface is implemented for each external telecommunication service;
+a traffic flow policy is established for each managed interface;
+the confidentiality of the information being transmitted across each interface is protected;
+the integrity of the information being transmitted across each interface is protected;
+each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;
+exceptions to the traffic flow policy are reviewed
exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;
+unauthorized exchanges of control plan traffic with external networks are prevented;
+information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;
+unauthorized control plane traffic is filtered from external networks.
+network communications traffic is denied by default
network communications traffic is allowed by exception
split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using
outgoing communications traffic posing a threat to external systems is detected;
+outgoing communications traffic posing a threat to external systems is denied;
+the identity of internal users associated with denied communications is audited.
+the exfiltration of information is prevented;
+exfiltration tests are conducted
only incoming communications from
networked, privileged accesses are routed through a dedicated, managed interface for purposes of access control;
+networked, privileged accesses are routed through a dedicated, managed interface for purposes of auditing.
+the discovery of specific system components that represent a managed interface is prevented.
+adherence to protocol formats is enforced.
+systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.
+inbound communications traffic is blocked between
outbound communications traffic is blocked between
the capability to dynamically isolate
boundary protection mechanisms are employed to isolate
separate network addresses are implemented to connect to systems in different security domains.
+feedback to senders is disabled on protocol format validation failure.
+permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;
+permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;
+each processing exception is documented for systems that process personally identifiable information;
+exceptions for systems that process personally identifiable information are reviewed;
+exceptions for systems that process personally identifiable information that are no longer supported are removed.
+the direct connection of
the direct connection of classified national security system to an external network without the use of a
the direct connection of
the direct connection of the
subnetworks are separated
the