NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls
SYSTEM AND COMMUNICATIONS PROTECTION
SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-1
|
System and Communications Protection Policy and Procedures
|
P1
|
LOW SC-1
|
MOD SC-1
|
HIGH SC-1
|
| ASSESSMENT PROCEDURE
|
| SC-1 |
SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
|
| SC-1.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization develops and formally documents system and communications protection policy;
- (ii) the organization system and communications protection policy addresses:
- (iii) the organization disseminates formal documented system and communications protection policy to elements within the organization having associated system and communications protection roles and responsibilities;
- (iv) the organization develops and formally documents system and communications protection procedures;
- (v) the organization system and communications protection procedures facilitate implementation of the system and communications protection policy and associated system and communications protection controls; and
- (vi) the organization disseminates formal documented system and communications protection procedures to elements within the organization having associated system and communications protection roles and responsibilities.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with system and communications protection responsibilities].
|
| SC-1.2 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of system and communications protection policy reviews/updates;
- (ii) the organization reviews/updates system and communications protection policy in accordance with organization-defined frequency; and
- (iii) the organization defines the frequency of system and communications protection procedure reviews/updates;
- (iv) the organization reviews/updates system and communications protection procedures in accordance with organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with system and communications protection responsibilities].
|
SC-2 APPLICATION PARTITIONING
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-2
|
Application Partitioning
|
P1
|
LOW Not Selected
|
MOD SC-2
|
HIGH SC-2
|
| ASSESSMENT PROCEDURE
|
| SC-2 |
APPLICATION PARTITIONING
|
| SC-2.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system separates user functionality (including user interface services) from information system management functionality.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Separation of user functionality from information system management functionality].
|
| SC-2(1) |
APPLICATION PARTITIONING
|
| SC-2(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system prevents the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Separation of user functionality from information system management functionality].
|
SC-3 SECURITY FUNCTION ISOLATION
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-3
|
Security Function Isolation
|
P1
|
LOW Not Selected
|
MOD Not Selected
|
HIGH SC-3
|
| ASSESSMENT PROCEDURE
|
| SC-3 |
SECURITY FUNCTION ISOLATION
|
| SC-3.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the security functions of the information system to be isolated from nonsecurity functions; and
- (ii) the information system isolates security functions from nonsecurity functions.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; list of security functions to be isolated from nonsecurity functions; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Separation of security functions from nonsecurity functions within the information system].
|
| SC-3(1) |
SECURITY FUNCTION ISOLATION
|
| SC-3(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system implements underlying hardware separation mechanisms to facilitate security function isolation.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; hardware separation mechanisms; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Hardware separation mechanisms facilitating security function isolation].
|
| SC-3(2) |
SECURITY FUNCTION ISOLATION
|
| SC-3(2).1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; list of critical security functions; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Isolation of security functions enforcing access and information flow control].
|
| SC-3(3) |
SECURITY FUNCTION ISOLATION
|
| SC-3(3).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
|
| SC-3(4) |
SECURITY FUNCTION ISOLATION
|
| SC-3(4).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization implements security functions as largely independent modules that avoid unnecessary interactions between modules.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
|
| SC-3(5) |
SECURITY FUNCTION ISOLATION
|
| SC-3(5).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
|
SC-4 INFORMATION IN SHARED RESOURCES
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-4
|
Information in Shared Resources
|
P1
|
LOW Not Selected
|
MOD SC-4
|
HIGH SC-4
|
| ASSESSMENT PROCEDURE
|
| SC-4 |
INFORMATION IN SHARED RESOURCES
|
| SC-4.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system prevents unauthorized and unintended information transfer via shared system resources.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing information remnance; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Information system for unauthorized and unintended transfer of information via shared system resources].
|
| SC-4(1) |
INFORMATION IN SHARED RESOURCES
|
| SC-4(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system does not share resources that are used to interface with systems operating at different security levels.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing information remnance; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
|
SC-5 DENIAL OF SERVICE PROTECTION
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-5
|
Denial of Service Protection
|
P1
|
LOW SC-5
|
MOD SC-5
|
HIGH SC-5
|
| ASSESSMENT PROCEDURE
|
| SC-5 |
DENIAL OF SERVICE PROTECTION
|
| SC-5.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system; and
- (ii) the information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing denial of service protection; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Information system for protection against or limitation of the effects of denial of service attacks].
|
| SC-5(1) |
DENIAL OF SERVICE PROTECTION
|
| SC-5(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system restricts the ability of users to launch denial of service attacks against other information systems or networks.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing denial of service protection; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Information system for protection against or limitation of the effects of denial of service attacks].
|
| SC-5(2) |
DENIAL OF SERVICE PROTECTION
|
| SC-5(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing denial of service protection; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing information system bandwidth, capacity, and redundancy management].
|
SC-6 RESOURCE PRIORITY
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-6
|
Resource Priority
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-6 |
RESOURCE PRIORITY
|
| SC-6.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system limits the use of resources by priority.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing prioritization of information system resources; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing resource allocation capability].
|
SC-7 BOUNDARY PROTECTION
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-7
|
Boundary Protection
|
P1
|
LOW SC-7
|
MOD SC-7 (1) (2) (3) (4) (5) (7)
|
HIGH SC-7 (1) (2) (3) (4) (5) (6) (7) (8)
|
| ASSESSMENT PROCEDURE
|
| SC-7 |
BOUNDARY PROTECTION
|
| SC-7.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the external boundary of the information system;
- (ii) the organization defines key internal boundaries of the information system;
- (iii) the information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system; and
- (iv) the information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; list of key internal boundaries of the information system; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; enterprise security architecture documentation; other relevant documents or records].
- Interview: [SELECT FROM: Selected organizational personnel with boundary protection responsibilities].
- Test: [SELECT FROM: Automated mechanisms implementing boundary protection capability within the information system].
|
| SC-7(1) |
BOUNDARY PROTECTION
|
| SC-7(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization physically allocates publicly accessible information system components to separate subnetworks with separate, physical network interfaces.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; other relevant documents or records].
|
| SC-7(2) |
BOUNDARY PROTECTION
|
| SC-7(2).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the mediation necessary for public access to the organization's internal networks; and
- (ii) the information system prevents public access into the organization's internal networks except as appropriately mediated by managed interfaces employing boundary protection devices.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; list of mediation vehicles for allowing public access to the organization's internal networks; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing access controls for public access to the organization's internal networks].
|
| SC-7(3) |
BOUNDARY PROTECTION
|
| SC-7(3).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization limits the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; boundary protection hardware and software; information system architecture and configuration documentation; information system configuration settings and associated documentation; communications and network traffic monitoring logs; other relevant documents or records].
|
| SC-7(4) |
BOUNDARY PROTECTION
|
| SC-7(4).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency for reviewing exceptions to traffic flow policy;
- (ii) the organization implements a managed interface for each external telecommunication service;
- (iii) the organization establishes a traffic flow policy for each managed interface;
- (iv) the organization employs security controls as needed to protect the confidentiality and integrity of the information being transmitted;
- (v) the organization documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;
- (vi) the organization reviews exceptions to the traffic flow policy in accordance with the organization-defined frequency; and
- (vii) the organization removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; traffic flow policy; information system security architecture; information system design documentation; boundary protection hardware and software; information system architecture and configuration documentation; information system configuration settings and associated documentation; records of traffic flow policy exceptions; other relevant documents or records].
- Interview: [SELECT FROM: Selected organizational personnel with boundary protection responsibilities].
- Test: [SELECT FROM: Managed interfaces implementing organizational traffic flow policy].
|
| SC-7(5) |
BOUNDARY PROTECTION
|
| SC-7(5).1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Interview: [SELECT FROM: Selected organizational personnel with boundary protection responsibilities].
|
| SC-7(6) |
BOUNDARY PROTECTION
|
| SC-7(6).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization prevents the unauthorized release of information outside of the information system boundary; or
- (ii) the organization prevents any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms supporting the fail-safe boundary protection capability within the information system].
|
| SC-7(7) |
BOUNDARY PROTECTION
|
| SC-7(7).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms supporting non-remote connections with the information system].
|
| SC-7(8) |
BOUNDARY PROTECTION
|
| SC-7(8).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the internal communications traffic to be routed to external networks;
- (ii) the organization defines the external networks to which the organization-defined internal communications traffic should be routed; and
- (iii) the information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Mechanisms implementing managed interfaces within information system boundary protection devices].
|
| SC-7(9) |
BOUNDARY PROTECTION
|
| SC-7(9).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the information system, at managed interfaces, denies network traffic; and
- (ii) the information system audits internal users (or malicious code) posing a threat to external information systems.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
- Test: [SELECT FROM: Mechanisms implementing managed interfaces within information system boundary protection devices].
|
| SC-7(10) |
BOUNDARY PROTECTION
|
| SC-7(10).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization prevents the unauthorized exfiltration of information across managed interfaces.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms preventing unauthorized exfiltration of information across managed interfaces].
|
| SC-7(11) |
BOUNDARY PROTECTION
|
| SC-7(11).1 |
ASSESSMENT OBJECTIVE:
Determine if the information system checks incoming communications to ensure:
- the communications are coming from an authorized source; and
- the communications are routed to an authorized destination.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
|
| SC-7(12) |
BOUNDARY PROTECTION
|
| SC-7(12).1 |
ASSESSMENT OBJECTIVE:
Determine if the information system implements host-based boundary protection mechanisms for:
- servers;
- workstations; and
- mobile devices.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing host-based boundary protection capability].
|
| SC-7(13) |
BOUNDARY PROTECTION
|
| SC-7(13).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the key information security tools, mechanisms, and support components to be isolated from other internal information system components; and
- (ii) the organization isolates organization-defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets with managed interfaces to other portions of the system.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; list of security tools and support components to be isolated from other internal information system components; other relevant documents or records].
|
| SC-7(14) |
BOUNDARY PROTECTION
|
| SC-7(14).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the managed interfaces where boundary protections are to be implemented;
- (ii) the organization defines the measures to protect against unauthorized physical connections across boundary protections implemented at organization-defined managed interfaces; and
- (iii) the organization protects against unauthorized physical connections across the boundary protections implemented at organization-defined managed interfaces.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; facility communications and wiring diagram; other relevant documents or records].
- Test: [SELECT FROM: Physical access capability implementing protections against unauthorized physical connections to the information system].
|
| SC-7(15) |
BOUNDARY PROTECTION
|
| SC-7(15).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the information system routes all networked, privileged accesses through a dedicated, managed interface for purpose of access control; and
- (ii) the information system routes all networked, privileged accesses through a dedicated, managed interface for purpose of auditing.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; audit logs; other relevant documents or records].
- Test: [SELECT FROM: Mechanisms routing networked, privileged access through dedicated managed interfaces].
|
| SC-7(16) |
BOUNDARY PROTECTION
|
| SC-7(16).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system prevents discovery of specific system components (or devices) composing a managed interface.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Mechanisms preventing discovery of system components at a managed interface].
|
| SC-7(17) |
BOUNDARY PROTECTION
|
| SC-7(17).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs automated mechanisms to enforce strict adherence to protocol format.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system architecture; information system configuration settings and associated documentation; other relevant documents or records].
|
| SC-7(18) |
BOUNDARY PROTECTION
|
| SC-7(18).1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system architecture; information system configuration settings and associated documentation; other relevant documents or records].
|
SC-8 TRANSMISSION INTEGRITY
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-8
|
Transmission Integrity
|
P1
|
LOW Not Selected
|
MOD SC-8 (1)
|
HIGH SC-8 (1)
|
| ASSESSMENT PROCEDURE
|
| SC-8 |
TRANSMISSION INTEGRITY
|
| SC-8.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system protects the integrity of transmitted information.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission integrity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Transmission integrity capability within the information system].
|
| SC-8(1) |
TRANSMISSION INTEGRITY
|
| SC-8(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission integrity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Cryptographic mechanisms implementing transmission integrity capability within the information system].
|
| SC-8(2) |
TRANSMISSION INTEGRITY
|
| SC-8(2).1 |
ASSESSMENT OBJECTIVE:
Determine if the information system in preparation for transmission maintains the integrity of information during:
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission integrity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Transmission integrity capability within the information system].
|
SC-9 TRANSMISSION CONFIDENTIALITY
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-9
|
Transmission Confidentiality
|
P1
|
LOW Not Selected
|
MOD SC-9 (1)
|
HIGH SC-9 (1)
|
| ASSESSMENT PROCEDURE
|
| SC-9 |
TRANSMISSION CONFIDENTIALITY
|
| SC-9.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system protects the confidentiality of transmitted information.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality; information system design documentation; contracts for telecommunications services; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Transmission confidentiality capability within the information system].
|
| SC-9(1) |
TRANSMISSION CONFIDENTIALITY
|
| SC-9(1).1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality; information system design documentation; information system communications hardware and software or Protected Distribution System protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Cryptographic mechanisms implementing transmission confidentiality capability within the information system].
|
| SC-9(2) |
TRANSMISSION CONFIDENTIALITY
|
| SC-9(2).1 |
ASSESSMENT OBJECTIVE:
Determine if the information system in preparation for transmission maintains the confidentiality of information during:
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality; information system design documentation; information system communications hardware and software or Protected Distribution System protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Transmission confidentiality capability within the information system].
|
SC-10 NETWORK DISCONNECT
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-10
|
Network Disconnect
|
P2
|
LOW Not Selected
|
MOD SC-10
|
HIGH SC-10
|
| ASSESSMENT PROCEDURE
|
| SC-10 |
NETWORK DISCONNECT
|
| SC-10.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the time period of inactivity before the information system terminates a network connection associated with a communications session; and
- (ii) the information system terminates a network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing network disconnect; information system design documentation; organization-defined time period of inactivity before network disconnect; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Network disconnect capability within the information system].
|
SC-11 TRUSTED PATH
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-11
|
Trusted Path
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-11 |
TRUSTED PATH
|
| SC-11.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the security functions within the information system to be included in a trusted communications path;
- (ii) the organization-defined security functions include information system authentication and reauthentication; and
- (iii) the information system establishes a trusted communications path between the user and the organization-defined security functions within the information system.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing trusted communications paths; security plan; information system design documentation; information system configuration settings and associated documentation; assessment results from independent, testing organizations; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing trusted communications paths within the information system].
|
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-12
|
Cryptographic Key Establishment and Management
|
P1
|
LOW SC-12
|
MOD SC-12
|
HIGH SC-12 (1)
|
| ASSESSMENT PROCEDURE
|
| SC-12 |
CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
|
| SC-12.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization establishes and manages cryptographic keys for required cryptography employed within the information system.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management and establishment; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for cryptographic key establishment or management].
- Test: [SELECT FROM: Automated mechanisms implementing cryptographic key management and establishment within the information system].
|
| SC-12(1) |
CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
|
| SC-12(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization maintains availability of information in the event of the loss of cryptographic keys by users.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management, establishment, and recovery; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
|
| SC-12(2) |
CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
|
| SC-12(2).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines whether it will use NIST-approved or NSA-approved key management technology and processes; and
- (ii) the organization produces, controls, and distributes symmetric cryptographic keys using the organization-defined key management technology and processes.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management, establishment, and recovery; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for cryptographic key establishment or management].
|
| SC-12(3) |
CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
|
| SC-12(3).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization produces, controls, and distributes symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management, establishment, and recovery; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for cryptographic key establishment or management].
|
| SC-12(4) |
CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
|
| SC-12(4).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management, establishment, and recovery; information system design documentation; information system configuration settings and associated documentation; information system cryptographic keys; other relevant documents or records].
|
| SC-12(5) |
CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
|
| SC-12(5).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management, establishment, and recovery; information system design documentation; information system configuration settings and associated documentation; information system cryptographic keys; other relevant documents or records].
|
SC-13 USE OF CRYPTOGRAPHY
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-13
|
Use of Cryptography
|
P1
|
LOW SC-13
|
MOD SC-13
|
HIGH SC-13
|
| ASSESSMENT PROCEDURE
|
| SC-13 |
USE OF CRYPTOGRAPHY
|
| SC-13.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system implements cryptographic protections using cryptographic modules that comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; other relevant documents or records].
|
| SC-13(1) |
USE OF CRYPTOGRAPHY
|
| SC-13(1).1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; FIPS cryptography standards; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; other relevant documents or records].
|
| SC-13(2) |
USE OF CRYPTOGRAPHY
|
| SC-13(2).1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; NSA cryptography standards; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; other relevant documents or records].
|
| SC-13(3) |
USE OF CRYPTOGRAPHY
|
| SC-13(3).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs, at a minimum, FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; FIPS cryptography standards; information system design documentation; information system configuration settings and associated documentation; FIPS cryptographic module validation certificates; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing cryptography within the information system].
|
| SC-13(4) |
USE OF CRYPTOGRAPHY
|
| SC-13(4).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines whether it will use NIST-approved or NSA-approved cryptography to implement digital signatures; and
- (ii) the organization employs the organization-defined cryptography to implement digital signatures
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; other relevant documents or records].
|
SC-14 PUBLIC ACCESS PROTECTIONS
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-14
|
Public Access Protections
|
P1
|
LOW SC-14
|
MOD SC-14
|
HIGH SC-14
|
| ASSESSMENT PROCEDURE
|
| SC-14 |
PUBLIC ACCESS PROTECTIONS
|
| SC-14.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system protects the integrity and availability of publicly available information and applications.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing public access protections; access control policy and procedures; boundary protection procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms protecting the integrity and availability of publicly available information and applications within the information system].
|
SC-15 COLLABORATIVE COMPUTING DEVICES
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-15
|
Collaborative Computing Devices
|
P1
|
LOW SC-15
|
MOD SC-15
|
HIGH SC-15
|
| ASSESSMENT PROCEDURE
|
| SC-15 |
COLLABORATIVE COMPUTING DEVICES
|
| SC-15.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines exceptions to the prohibiting of collaborative computing devices where remote activation is to be allowed;
- (ii) the organization prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed; and
- (iii) the organization provides an explicit indication of use to users physically present at the devices.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing access controls for collaborative computing environments; alert notification for local users].
|
| SC-15(1) |
COLLABORATIVE COMPUTING DEVICES
|
| SC-15(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Physical disconnect of collaborative computing devices].
|
| SC-15(2) |
COLLABORATIVE COMPUTING DEVICES
|
| SC-15(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system or supporting environment blocks both inbound and outbound traffic between instant messaging clients that are independently configured by end users and external service providers.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Mechanisms blocking inbound and outbound traffic between instant message clients that are independently configured].
|
| SC-15(3) |
COLLABORATIVE COMPUTING DEVICES
|
| SC-15(3).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the secure work areas where collaborative computing devices are prohibited; and
- (ii) the organization disables or removes collaborative computing devices from information systems in organization-defined secure work areas.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with device management responsibilities for collaborative computing].
|
SC-16 TRANSMISSION OF SECURITY ATTRIBUTES
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-16
|
Transmission of Security Attributes
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-16 |
TRANSMISSION OF SECURITY ATTRIBUTES
|
| SC-16.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system associates security attributes with information exchanged between information systems.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission of security parameters; access control policy and procedures; boundary protection procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms supporting reliable transmission of security parameters between information systems].
|
| SC-16(1) |
TRANSMISSION OF SECURITY ATTRIBUTES
|
| SC-16(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system validates the integrity of security attributes exchanged between systems.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission of security parameters; access control policy and procedures; boundary protection procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms supporting reliable transmission of security parameters between information systems].
|
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-17
|
Public Key Infrastructure Certificates
|
P1
|
LOW Not Selected
|
MOD SC-17
|
HIGH SC-17
|
| ASSESSMENT PROCEDURE
|
| SC-17 |
PUBLIC KEY INFRASTRUCTURE CERTIFICATES
|
| SC-17.1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing public key infrastructure certificates; public key certificate policy or policies; public key issuing process; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with public key infrastructure certificate issuing responsibilities].
|
SC-18 MOBILE CODE
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-18
|
Mobile Code
|
P1
|
LOW Not Selected
|
MOD SC-18
|
HIGH SC-18
|
| ASSESSMENT PROCEDURE
|
| SC-18 |
MOBILE CODE
|
| SC-18.1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions, mobile code implementation policy and procedures; list of acceptable mobile code and mobile code technologies; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with mobile code authorization, monitoring, and control responsibilities].
- Test: [SELECT FROM: Mobile code authorization and monitoring capability for the organization].
|
| SC-18(1) |
MOBILE CODE
|
| SC-18(1).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the information system implements detection and inspection mechanisms to identify unauthorized mobile code; and
- (ii) the information system takes corrective action when unauthorized mobile code is identified.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions, mobile code implementation policy and procedures; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing mobile code detection and inspection capability].
|
| SC-18(2) |
MOBILE CODE
|
| SC-18(2).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines requirements for the acquisition, development and/or use of mobile code; and
- (ii) the organization ensures the acquisition, development, and/or use of mobile code to be deployed in information systems meets the organization-defined mobile code requirements.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions, mobile code implementation policy and procedures; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with mobile code management responsibilities; organizational personnel with information system security, acquisition, and contracting responsibilities].
|
| SC-18(3) |
MOBILE CODE
|
| SC-18(3).1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions, mobile code implementation policy and procedures; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms preventing download and execution of prohibited mobile code].
|
| SC-18(4) |
MOBILE CODE
|
| SC-18(4).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines software applications for which automatic mobile code execution is to be prohibited;
- (ii) the organization defines actions required by the information system before executing mobile code;
- (iii) the information system prevents the automatic execution of mobile code in the organization-defined software applications; and
- (iv) the information system requires organization-defined actions before executing mobile code.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions; information system design documentation; information system configuration settings and associated documentation; list of applications for which automatic execution of mobile code must be prohibited; list of actions required before execution of mobile code; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms preventing mobile code execution within the information system].
|
SC-19 VOICE OVER INTERNET PROTOCOL
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-19
|
Voice Over Internet Protocol
|
P1
|
LOW Not Selected
|
MOD SC-19
|
HIGH SC-19
|
| ASSESSMENT PROCEDURE
|
| SC-19 |
VOICE OVER INTERNET PROTOCOL
|
| SC-19.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
- (ii) the organization authorizes, monitors, and controls the use of VoIP within the information system.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing VoIP; VoIP usage restrictions; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with VoIP authorization and monitoring responsibilities].
- Test: [SELECT FROM: VoIP authorization and monitoring capability for the organization].
|
SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-20
|
Secure Name /Address Resolution Service (Authoritative Source)
|
P1
|
LOW SC-20 (1)
|
MOD SC-20 (1)
|
HIGH SC-20 (1)
|
| ASSESSMENT PROCEDURE
|
| SC-20 |
SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
|
| SC-20.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system provides additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing secure name/address resolution service (authoritative source)].
|
| SC-20(1) |
SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
|
| SC-20(1).1 |
ASSESSMENT OBJECTIVE:
Determine if
- (i) the information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces; and
- (ii) the information system, when operating as part of a distributed, hierarchical namespace, enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing child subspace security status indicators and chain of trust verification for resolution services].
|
SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-21
|
Secure Name /Address Resolution Service (Recursive or Caching Resolver)
|
P1
|
LOW Not Selected
|
MOD Not Selected
|
HIGH SC-21
|
| ASSESSMENT PROCEDURE
|
| SC-21 |
SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
|
| SC-21.1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (recursive or caching resolver); information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing data origin authentication and integrity verification for resolution services].
|
| SC-21(1) |
SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
|
| SC-21(1).1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (recursive or caching resolver); information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing data origin authentication and integrity verification for resolution services].
|
SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-22
|
Architecture and Provisioning for Name/Address Resolution Service
|
P1
|
LOW Not Selected
|
MOD SC-22
|
HIGH SC-22
|
| ASSESSMENT PROCEDURE
|
| SC-22 |
ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE
|
| SC-22.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the information systems that collectively provide name/address resolution service for an organization are fault tolerant; and
- (ii) the information systems that collectively provide name/address resolution service for an organization implement internal/external role separation.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing architecture and provisioning for name/address resolution service; access control policy and procedures; information system design documentation; assessment results from independent, testing organizations; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms supporting name/address resolution service for fault tolerance and role separation].
|
SC-23 SESSION AUTHENTICITY
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-23
|
Session Authenticity
|
P1
|
LOW Not Selected
|
MOD SC-23
|
HIGH SC-23
|
| ASSESSMENT PROCEDURE
|
| SC-23 |
SESSION AUTHENTICITY
|
| SC-23.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system provides mechanisms to protect the authenticity of communications sessions.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing session authenticity].
|
| SC-23(1) |
SESSION AUTHENTICITY
|
| SC-23(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system invalidates session identifiers upon user logout or other session termination.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing session identifier invalidation upon session termination].
|
| SC-23(2) |
SESSION AUTHENTICITY
|
| SC-23(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system provides a readily observable logout capability whenever authentication is used to gain access to Web pages.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; information system design documentation; information system configuration settings and associated documentation; information system site designs; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing logout capability for Web pages requiring user authentication].
|
| SC-23(3) |
SESSION AUTHENTICITY
|
| SC-23(3).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the information system generates a unique session identifier for each session; and
- (ii) the information system recognizes only session identifiers that are system-generated.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms generating and monitoring unique session identifiers].
|
| SC-23(4) |
SESSION AUTHENTICITY
|
| SC-23(4).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines requirements for randomly generating unique session identifiers; and
- (ii) the information system generates unique session identifiers in accordance with organization-defined randomness requirements.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms generating unique session identifiers].
|
SC-24 FAIL IN KNOWN STATE
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-24
|
Fail in Known State
|
P1
|
LOW Not Selected
|
MOD Not Selected
|
HIGH SC-24
|
| ASSESSMENT PROCEDURE
|
| SC-24 |
FAIL IN KNOWN STATE
|
| SC-24.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the known-states the information system should fail to in the event of a system failure;
- (ii) the organization defines types of failures for which the information system should fail to an organization-defined known-state;
- (iii) the organization defines the system state information that should be preserved in the event of a system failure;
- (iv) the information system fails to an organization-defined known-state for an organization-defined type of failure; and
- (v) the information system preserves organization-defined system state information in the event of a system failure.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing information system failure; information system design documentation; information system configuration settings and associated documentation; list of failures requiring information system to fail in a known state; state information to be preserved in system failure; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing fail-in-known-state capability].
|
SC-25 THIN NODES
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-25
|
Thin Nodes
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-25 |
THIN NODES
|
| SC-25.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system employs processing components that have minimal functionality and information storage.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of thin nodes; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
|
SC-26 HONEYPOTS
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-26
|
Honeypots
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-26 |
HONEYPOTS
|
| SC-26.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of honeypots; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
|
| SC-26(1) |
HONEYPOTS
|
| SC-26(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system includes components that proactively seek to identify Web-based malicious code.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of honeypots; access control policy and procedures; boundary protection procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms proactively seeking Web-based malicious code].
|
SC-27 OPERATING SYSTEM-INDEPENDENT APPLICATIONS
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-27
|
Operating System-Independent Applications
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-27 |
OPERATING SYSTEM-INDEPENDENT APPLICATIONS
|
| SC-27.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines applications that are operating system-independent; and
- (ii) the information system includes organization-defined operating system-independent applications.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing operating system-independent applications; information system design documentation; information system configuration settings and associated documentation; list of operating system-independent applications; other relevant documents or records].
|
SC-28 PROTECTION OF INFORMATION AT REST
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-28
|
Protection of Information at Rest
|
P1
|
LOW Not Selected
|
MOD SC-28
|
HIGH SC-28
|
| ASSESSMENT PROCEDURE
|
| SC-28 |
PROTECTION OF INFORMATION AT REST
|
| SC-28.1 |
ASSESSMENT OBJECTIVE:
| Determine if the information system protects the confidentiality and integrity of information at rest.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing protection of information at rest; information system design documentation; information system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; list of information at rest requiring confidentiality and integrity protections; other relevant documents or records].
- Test: [SELECT FROM: Automated mechanisms implementing confidentiality and integrity protections for information at-rest].
|
| SC-28(1) |
PROTECTION OF INFORMATION AT REST
|
| SC-28(1).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures; and
- (ii) the organization employs cryptographic mechanisms to prevent unauthorized modification of information at rest unless otherwise protected by alternative physical measures.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing protection of information at rest; information system design documentation; information system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; other relevant documents or records].
- Test: [SELECT FROM: Cryptographic mechanisms implementing confidentiality and integrity protections for information at-rest].
|
SC-29 HETEROGENEITY
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-29
|
Heterogeneity
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-29 |
HETEROGENEITY
|
| SC-29.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs diverse information technologies in the implementation of the information system.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; information system design documentation; information system configuration settings and associated documentation; list of technologies deployed in the information system; acquisition documentation; acquisition contracts for information system components or services; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with information system acquisition, development, and implementation responsibilities].
|
SC-30 VIRTUALIZATION TECHNIQUES
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-30
|
Virtualization Techniques
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-30 |
VIRTUALIZATION TECHNIQUES
|
| SC-30.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs virtualization techniques to present information system components as other types of components, or components with differing configurations.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; information system design documentation; information system configuration settings and associated documentation; information system architecture; list of virtualization techniques to be employed for organizational information systems; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing approved virtualization techniques for information systems].
|
| SC-30(1) |
VIRTUALIZATION TECHNIQUES
|
| SC-30(1).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of changes to operating systems and applications through the use of virtualization techniques; and
- (ii) the organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed in accordance with organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; configuration management policy and procedures; information system design documentation; information system configuration settings and associated documentation; information system architecture; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing approved virtualization techniques for information systems].
|
| SC-30(2) |
VIRTUALIZATION TECHNIQUES
|
| SC-30(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization employs randomness in the implementation of the virtualization techniques.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; information system design documentation; information system configuration settings and associated documentation; information system architecture; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing approved virtualization techniques for information systems].
|
SC-31 COVERT CHANNEL ANALYSIS
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-31
|
Covert Channel Analysis
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-31 |
COVERT CHANNEL ANALYSIS
|
| SC-31.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization requires that information system developers/integrators perform a covert channel analysis to identify those aspects of system communication that are potential avenues for covert storage and timing channels.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing covert channel analysis; information system design documentation; information system configuration settings and associated documentation; covert channel analysis documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with covert channel analysis responsibilities; information system developers/integrators].
|
| SC-31(1) |
COVERT CHANNEL ANALYSIS
|
| SC-31(1).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization tests a subset of the vendor-identified covert channel avenues to determine if such channels are exploitable.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing covert channel analysis; information system design documentation; information system configuration settings and associated documentation; list of vendor-identified covert channel avenues or exploits; covert channel analysis documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with covert channel analysis responsibilities; information system developers/integrators].
- Test: [SELECT FROM: Covert channel avenues to determine if such channels are exploitable].
|
SC-32 INFORMATION SYSTEM PARTITIONING
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-32
|
Information System Partitioning
|
P0
|
LOW Not Selected
|
MOD SC-32
|
HIGH SC-32
|
| ASSESSMENT PROCEDURE
|
| SC-32 |
INFORMATION SYSTEM PARTITIONING
|
| SC-32.1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; information system design documentation; information system configuration settings and associated documentation; information system architecture; list of information system physical domains (or environments); information system facility diagrams; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel installing, configuring, and/or maintaining the information system].
|
SC-33 TRANSMISSION PREPARATION INTEGRITY
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-33
|
Transmission Preparation Integrity
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-33 |
TRANSMISSION PREPARATION INTEGRITY
|
| SC-33.1 |
ASSESSMENT OBJECTIVE:
Determine if the information system in preparation for transmission protects the integrity of information during the processes of:
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission integrity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
- Test: [SELECT FROM: Transmission integrity capability within the information system].
|
SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS
| FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
|
CLASS: TECHNICAL
|
- Security Control Baseline:
| SC-34
|
Non-Modifiable Executable Programs
|
P0
|
LOW Not Selected
|
MOD Not Selected
|
HIGH Not Selected
|
| ASSESSMENT PROCEDURE
|
| SC-34 |
NON-MODIFIABLE EXECUTABLE PROGRAMS
|
| SC-34.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the applications that are to be loaded and executed from hardware-enforced, read-only media;
- (ii) the organization defines the information system components for which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media; and
- (iii) the information system, at organization-defined information system components, loads and executes:
- the operating environment from hardware-enforced, read-only media; and
- organization-defined applications from hardware-enforced, read-only media.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; information system design documentation; information system configuration settings and associated documentation; information system architecture; list of operating system components to be loaded from hardware-enforced, read-only media; list of applications to be loaded from hardware-enforced, read-only media; media used to load and execute information system operating environment; media used to load and execute information system applications; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel installing, configuring, and/or maintaining the information system].
|
| SC-34(1) |
NON-MODIFIABLE EXECUTABLE PROGRAMS
|
| SC-34(1).1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the information system components to be employed with no writeable storage; and
- (ii) the organization employs organization-defined information system components with no writeable storage that are persistent across component restart or power on/off.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; information system design documentation; information system configuration settings and associated documentation; information system architecture; list of information system components to be employed without writeable storage capability; other relevant documents or records].
|
| SC-34(2) |
NON-MODIFIABLE EXECUTABLE PROGRAMS
|
| SC-34(2).1 |
ASSESSMENT OBJECTIVE:
| Determine if the organization protects the integrity of the information on read-only media.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and communications protection policy; procedures addressing protection of information on read-only media; information system design documentation; information system configuration settings and associated documentation; information system architecture; other relevant documents or records].
- Test: [SELECT FROM: Organizational capability for protecting information integrity on read-only media].
|
Source
