Doc:NIST SP 800-53Ar1 FPD Appendix F

From FISMApedia
Jump to: navigation, search

APPENDIX F

ASSESSMENT PROCEDURE CATALOG

OBJECTIVES, METHODS, AND OBJECTS FOR ASSESSING SECURITY CONTROLS

This appendix provides a catalog of procedures to assess the security controls and control enhancements in Special Publication 800-53.[1] Assessors select assessment procedures from the catalog in accordance with the guidance provided in Section 3.2. Since the contents of the security plan affect the development of the security assessment plan and the assessment, there will likely be assessment procedures in the catalog that assessors will not use because: (i) the associated security controls or control enhancements are not contained in the security plan for the information system;[2] or (ii) the security controls or control enhancements are not being assessed at this particular time (e.g., during an assessment of a subset of the controls as part of continuous monitoring activities).

The same assessment object may appear in multiple object lists in a variety of assessment procedures. The same object may be used in multiple contexts to obtain needed information or evidence for a particular aspect of an assessment. Assessors use the general references as appropriate to obtain the necessary information to make the specified determinations required by the assessment objective. For example, a reference to access control policy appears in the assessment procedures for AC-2 and AC-7. For assessment procedure AC-2, assessors use the access control policy to find information about that portion of the policy that addresses account management for the information system. For assessment procedure AC-7, assessors use the access control policy to find information about that portion of the policy that addresses unsuccessful login attempts for the information system.

Assessors are responsible for combining and consolidating the assessment procedures whenever possible or practical. Optimizing assessment procedures can save time, reduce assessment costs, and maximize the usefulness of assessment results. Assessors optimize assessment procedures by determining the best sequencing of the procedures. The assessment of some security controls before others may provide information that facilitates understanding and assessment of other controls.


Implementation Tips

TIP #1: Select only those assessment procedures from Appendix F that correspond to the security controls and control enhancements in the approved security plan and that are to be included in the assessment.

TIP #2: The assessment procedures selected from Appendix F are simply exemplary procedures. These procedures are reviewed and appropriately tailored and supplemented as necessary, in accordance with the guidance in Section 3.2 to adapt the procedures to specific organizational requirements and operating environments.

TIP #3: With respect to the assessment procedures in Appendix F, assessors need apply only those procedures, methods, and objects necessary for making a final determination that a particular security control objective is satisfied or not satisfied (see Section 3.3).

TIP #4: Assessors apply to each method, the suggested values for depth and coverage that are commensurate with the characteristics of the information system and the specifics of the determination to be made. The suggested values selected for the depth and coverage attributes indicate how much effort is applied to the assessment (i.e., the rigor and scope of the activities associated with the assessment).

TIP #5: Assessors may find useful assessment-related information in the Supplemental Guidance section of each security control described in Special Publication 800-53. This information can be used to carry out more effective assessments with regard to the application of assessment procedures.

Note: When assessing agency compliance with NIST guidance, auditors, Inspectors General, evaluators, and/or assessors consider the intent of the security concepts and principles articulated within the particular guidance document and how the agency applied the guidance in the context of its specific mission responsibilities, operational environments, and unique organizational conditions.


REMINDER

Whereas a set of potential assessment methods have been included in the following catalog of assessment procedures, these are not intended to be mandatory or exclusive and, depending on the particular circumstances of the information system to be assessed, not all methods may be required or other assessment methods may also be used. In addition, the potential assessment objects listed are not intended to be a mandatory set, but rather a set from which the necessary and sufficient set of objects for a given assessment can be selected to make the appropriate determinations. For specific recommendations regarding current best practices for security control assessments, organizations can consult the assessment case development project described in Appendix H and the assessment cases listed on the NIST web site.


ACCESS CONTROL

FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
AC-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents access control policy;
(ii) the organization access control policy addresses:
(iii) the organization disseminates formal documented access control policy to elements within the organization having associated access control roles and responsibilities;
(iv) the organization develops and formally documents access control procedures;
(v) the organization access control procedures facilitate implementation of the access control policy and associated access controls; and
(vi) the organization disseminates formal documented access control procedures to elements within the organization having associated access control roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with access control responsibilities].
AC-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of access control policy reviews/updates;
(ii) the organization reviews/updates access control policy in accordance with organization-defined frequency;
(iii) the organization defines the frequency of access control procedure reviews/updates; and
(iv) the organization reviews/updates access control procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with access control responsibilities].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-2 ACCOUNT MANAGEMENT
AC-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization manages information system accounts, including;
  • identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary);
  • establishing conditions for group membership;
  • identifying authorized users of the information system and specifying access privileges;
  • requiring appropriate approvals for requests to establish accounts;
  • establishing, activating, modifying, disabling, and removing accounts;
  • specifically authorizing and monitoring the use of guest/anonymous and temporary accounts;
  • notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;
  • deactivating: i) temporary accounts that are no longer required; and ii) accounts of terminated or transferred users; and
  • granting access to the system based on:
    • a valid access authorization;
    • intended system usage; and
    • other attributes as required by the organization or associated missions/business functions; and
(ii) the organization defines the frequency of information system account reviews; and
(iii) the organization reviews information system accounts in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing account management; security plan; list of active system accounts along with the name of the individual associated with each account; list of guest/anonymous and temporary accounts along with the name of the individual associated with the each account and the date the account expires; lists of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; system-generated records with user IDs and last login date; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with account management responsibilities].



AC-2(1) ACCOUNT MANAGEMENT
AC-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to support information system account management functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing account management functions].


AC-2(2) ACCOUNT MANAGEMENT
AC-2(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines a time period for each type of account after which the information system terminates temporary and emergency accounts; and
(ii) the information system automatically terminates temporary and emergency accounts after organization-defined time period for each type of account.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of active accounts; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing account management functions].


AC-2(3) ACCOUNT MANAGEMENT
AC-2(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines in a time period after which the information system disables inactive accounts; and
(ii) the information system automatically disables inactive accounts after organization-defined time period.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of last login dates; information system-generated list of active accounts; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing account management functions].


AC-2(4) ACCOUNT MANAGEMENT
AC-2(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the information system automatically audits:
  • account creation;
  • modification;
  • disabling; and
  • termination actions; and
(ii) the information system notifies, as required, appropriate individuals.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing account management functions].


AC-2(5) ACCOUNT MANAGEMENT
AC-2(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period of expected inactivity and/or description of when users log out;
(ii) the organization requires that users log out in accordance with the organization-defined time-period of inactivity and/or description of when to log out;
(iii) the organization determines normal time-of-day and duration usage for information system accounts;
(iv) the organization monitors for atypical usage of information system accounts; and
(v) the organization reports atypical usage to designated organizational officials.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; security violation reports; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with account management responsibilities].


AC-2(6) ACCOUNT MANAGEMENT
AC-2(6).1 ASSESSMENT OBJECTIVE:
Determine if the information system dynamically manages user privileges and associated access authorizations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with account management responsibilities].
Test: [SELECT FROM: Automated mechanisms implementing account management functions].


AC-2(7) ACCOUNT MANAGEMENT
AC-2(7).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles; and
(ii) the organization tracks and monitors privileged role assignments.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system-generated list of privileged user accounts and associated role; information system audit records; audit tracking and monitoring reports; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with account management responsibilities].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-3 ACCESS ENFORCEMENT
AC-3.1 ASSESSMENT OBJECTIVE:
Determine if the information system enforces approved authorizations for logical access to the system in accordance with applicable policy.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information system configuration settings and associated documentation; list of approved authorizations (user privileges); information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy].


AC-3(1) ACCESS ENFORCEMENT

[Withdrawn: Incorporated into AC-6].

AC-3(1).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into AC-6].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into AC-6].


AC-3(2) ACCESS ENFORCEMENT
AC-3(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines, in organizational policies and procedures, the privileged commands for which dual authorization is to be enforced; and
(ii) the information system enforces dual authorization based on organizational policies and procedures for organization-defined privileged commands.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement and dual authorization; security plan; information system design documentation; information system configuration settings and associated documentation; list of privileged commands requiring dual authorization; list of approved authorizations (user privileges); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities].
Test: [SELECT FROM: Dual authorization mechanisms implementing access control policy].


AC-3(3) ACCESS ENFORCEMENT
AC-3(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the users and resources over which the information system is to enforce nondiscretionary access control policies;
(ii) the organization defines nondiscretionary access control policies to be enforced over the organization-defined set of users and resources, where the rule set for each policy specifies:
(iii) the information system enforces organization-defined nondiscretionary access control policies over the organization-defined set of users and resources.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; nondiscretionary access control policies; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; list of users and resources requiring enforcement of nondiscretionary access control policies; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities].
Test: [SELECT FROM: Automated mechanisms implementing nondiscretionary access control policy].


AC-3(4) ACCESS ENFORCEMENT
AC-3(4).1 ASSESSMENT OBJECTIVE:
Determine if the information system enforces a Discretionary Access Control (DAC) policy that:
  • allows users to specify and control sharing by named individuals or groups of individuals, or by both;
  • limits propagation of access rights; and
  • includes or excludes access to the granularity of a single user.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; discretionary access control policy; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing discretionary access control policy].


AC-3(5) ACCESS ENFORCEMENT
AC-3(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the security-relevant information to which the information system prevents access except during secure, nonoperable system states; and
(ii) the information system prevents access to organization-defined security-relevant information except during secure, nonoperable system states.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities].
Test: [SELECT FROM: Automated mechanisms preventing access to security-relevant information within the information system].


AC-3(6) ACCESS ENFORCEMENT
AC-3(6).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the user and/or system information to be encrypted or stored off-line in a secure location; and
(ii) the organization encrypts, or stores off-line in a secure location, organization-defined user and/or system information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities].
Test: [SELECT FROM: Automated mechanisms implementing access enforcement functions].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-4 INFORMATION FLOW ENFORCEMENT
AC-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines applicable policy for controlling the flow of information within the system and between interconnected systems;
(ii) the organization defines approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy; and
(iii) the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system baseline configuration; list of information flow authorizations; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(1) INFORMATION FLOW ENFORCEMENT
AC-4(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(2) INFORMATION FLOW ENFORCEMENT
AC-4(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system enforces information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(3) INFORMATION FLOW ENFORCEMENT
AC-4(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines policy that allows or disallows information flows based on changing conditions or operational consideration; and
(ii) the information system enforces dynamic information flow control based on policy that allows or disallows information flows based on changing conditions or operational considerations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(4) INFORMATION FLOW ENFORCEMENT
AC-4(4).1 ASSESSMENT OBJECTIVE:
Determine if the information system prevents encrypted data from bypassing content-checking mechanisms.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(5) INFORMATION FLOW ENFORCEMENT
AC-4(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the limitations on the embedding of data types with other data types; and
(ii) the information system enforces organization-defined limitations on the embedding of data types within other data types.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(6) INFORMATION FLOW ENFORCEMENT
AC-4(6).1 ASSESSMENT OBJECTIVE:
Determine if the information system enforces information flow control on metadata.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(7) INFORMATION FLOW ENFORCEMENT
AC-4(7).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the one-way information flows to be enforced by the information system; and
(ii) the information system enforces organization-defined one-way information flows using hardware mechanisms.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Hardware mechanisms implementing information flow enforcement policy].


AC-4(8) INFORMATION FLOW ENFORCEMENT
AC-4(8).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the security policy filters to be enforced by the information system; and
(ii) the information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of security policy filters; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(9) INFORMATION FLOW ENFORCEMENT
AC-4(9).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the security policy filters that the information system enforces for the use of human review; and
(ii) the information system enforces the use of human review for the organization-defined security policy filters, when the system is not capable of making an information flow control decision.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for making information flow control decisions when the information system is not capable of doing so].


AC-4(10) INFORMATION FLOW ENFORCEMENT
AC-4(10).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the security policy filters that privileged administrators have the capability to enable/disable; and
(ii) the information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for enabling/disabling security policy filters].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(11) INFORMATION FLOW ENFORCEMENT
AC-4(11).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the security policy filters that privileged administrators have the capability to configure; and
(ii) the information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for configuring security policy filters].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(12) INFORMATION FLOW ENFORCEMENT
AC-4(12).1 ASSESSMENT OBJECTIVE:
Determine if the information system, when transferring information between different security domains, identifies information flows by data type specification and usage.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(13) INFORMATION FLOW ENFORCEMENT
AC-4(13).1 ASSESSMENT OBJECTIVE:
Determine if the information system, when transferring information between different security domains, decomposes information into policy-relevant subcomponents for submission to policy enforcement mechanisms.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(14) INFORMATION FLOW ENFORCEMENT
AC-4(14).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the security policy requirements for constraining data structure and content; and
(ii) the information system, when transferring information between different security domains, implements policy filters that constrain data structure and content in accordance with organization-defined information security policy requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of policy filters; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(15) INFORMATION FLOW ENFORCEMENT
AC-4(15).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the information system, when transferring information between different security domains, detects unsanctioned information; and
(ii) the information system prohibits the transfer of unsanctioned information in accordance with the security policy.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(16) INFORMATION FLOW ENFORCEMENT
AC-4(16).1 ASSESSMENT OBJECTIVE:
Determine if the information system enforces security policies regarding information on interconnected systems.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


AC-4(17) INFORMATION FLOW ENFORCEMENT
AC-4(17).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the information system uniquely identifies source domains for information transfer;
(ii) the information system uniquely authenticates source domains for information transfer;
(iii) the information system uniquely identifies destination domains for information transfer;
(iv) the information system uniquely authenticates destination domains for information transfer;
(v) the information system binds security attributes to information to facilitate information flow policy enforcement;
(vi) the information system tracks problems associated with the security attribute binding; and
(vii) the information system tracks problems associated with the information transfer.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; procedures addressing source and destination domain identification and authentication, and information transfer error handling; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-5 SEPARATION OF DUTIES
AC-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization separates duties of individuals as necessary, to prevent malevolent activity without collusion;
(ii) the organization documents separation of duties; and
(iii) the organization implements separation of duties through assigned information system access authorizations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing divisions of responsibility and separation of duties; information system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties].
Test: [SELECT FROM: Automated mechanisms implementing separation of duties policy].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-6 LEAST PRIVILEGE
AC-6.1 ASSESSMENT OBJECTIVE:
Determine if the organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of assigned access authorizations (user privileges); information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].



AC-6(1) LEAST PRIVILEGE
AC-6(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized; and
(ii) the organization explicitly authorizes access to the organization-defined security functions and security-relevant information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of security functions and security-relevant information for which access must be explicitly authorized; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].


AC-6(2) LEAST PRIVILEGE
AC-6(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the security functions or security-relevant information to which users of information system accounts, or roles, have access; and
(ii) the organization requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other system functions; and
(iii) the organization, if deemed feasible, audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated security functions or security-relevant information assigned to information system accounts or roles; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].


AC-6(3) LEAST PRIVILEGE
AC-6(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the privileged commands to which network access is to be authorized only for compelling operational needs;
(ii) the organization authorizes network access to organization-defined privileged commands only for compelling operational needs; and
(iii) the organization documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].


AC-6(4) LEAST PRIVILEGE
AC-6(4).1 ASSESSMENT OBJECTIVE:
Determine if the information system provides separate processing domains to enable finer-grained allocation of user privileges.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].


AC-6(5) LEAST PRIVILEGE
AC-6(5).1 ASSESSMENT OBJECTIVE:
Determine if the organization limits authorization to super user accounts on the information system to designated system administration personnel.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated super user accounts; list of system administration personnel; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].


AC-6(6) LEAST PRIVILEGE
AC-6(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization prohibits privileged access to the information system by non-organizational users.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated privileged accounts; list of non-organizational users; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-7 UNSUCCESSFUL LOGIN ATTEMPTS
AC-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the maximum number of consecutive invalid login attempts to the information system by a user and the time period in which the consecutive invalid attempts occur;
(ii) the information system enforces the organization-defined limit of consecutive invalid login attempts by a user during the organization-defined time period;
(iii) the organization defines action to be taken by the system when the maximum number of unsuccessful login attempts is exceeded as:
  • lock out the account/node for a specified time period;
  • lock out the account/note until released by an administrator; or
  • delay the next login prompt according to organization-defined delay algorithm;
(iv) the information system either automatically locks the account/node for the organization-defined time period, locks the account/node until released by an administrator, or delays next login prompt for the organization-defined delay period when the maximum number of unsuccessful login attempts is exceeded; and
(v) the information system performs the organization-defined actions when the maximum number of unsuccessful login attempts is exceeded regardless of whether the login occurs via a local or network connection.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful login attempts; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for unsuccessful login attempts].


AC-7(1) UNSUCCESSFUL LOGIN ATTEMPTS
AC-7(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system automatically locks the account/node until released by an administrator when the maximum number of unsuccessful login attempts is exceeded.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful login attempts; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for unsuccessful login attempts].


AC-7(2) UNSUCCESSFUL LOGIN ATTEMPTS
AC-7(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the number of consecutive, unsuccessful login attempts allowed for accessing a mobile device before the information system purges information from the device; and
(ii) the information system provides protection for mobile devices accessed via login by purging information from such devices after the organization-defined number of consecutive, unsuccessful login attempts to the device is exceeded.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful login attempts on mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for unsuccessful login attempts].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-8 SYSTEM USE NOTIFICATION
AC-8.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization approves the information system use notification message or banner to be displayed by the information system before granting access to the system;
(ii) the information system displays the approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
  • users are accessing a U.S. Government information system;
  • system usage may be monitored, recorded, and subject to audit;
  • unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
  • use of the system indicates consent to monitoring and recording; and
(iii) the information system retains the notification message or banner on the screen until the user takes explicit actions to log on to or further access the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system notification messages; information system configuration settings and associated documentation; information system audit records for user acceptance of notification message or banner; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for system use notification].
AC-8.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the information system (for publicly accessible systems) displays the system use information when appropriate, before granting further access;
(ii) the information system (for publicly accessible systems) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
(iii) the information system (for publicly accessible systems) includes in the notice given to public users of the information system, a description of the authorized uses of the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system notification messages; information system configuration settings and associated documentation; other relevant documents or records].


Test: [SELECT FROM: Automated mechanisms implementing the access control policy for system use notification].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION
AC-9.1 ASSESSMENT OBJECTIVE:
Determine if the information system, upon successful user logon (access), displays to the user the date and time of the last logon (access).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing previous logon notification; information system configuration settings and associated documentation; information system notification messages; information system design documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for previous logon notification].


AC-9(1) PREVIOUS LOGON (ACCESS) NOTIFICATION
AC-9(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system, upon successful user logon/access, displays to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for previous logon notification].


AC-9(2) PREVIOUS LOGON (ACCESS) NOTIFICATION
AC-9(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period during which the number of successful logins/accesses and/or unsuccessful user login/access attempts occurs; and
(ii) the information system notifies the user of the number of successful logins/accesses and/or unsuccessful login/access attempts that occur during the organization-defined time period.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for previous logon notification].


AC-9(3) PREVIOUS LOGON (ACCESS) NOTIFICATION
AC-9(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period for which security-related changes to the user's account occur; and
(ii) the information system notifies the user of the organization-defined security-related changes to the user's account that occur during the organization-defined time period.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for previous logon notification].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-10 CONCURRENT SESSION CONTROL
AC-10.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the maximum number of concurrent sessions to be allowed for each system account; and
(ii) the information system limits the number of concurrent sessions for each system account to the organization-defined number of sessions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing concurrent session control; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for concurrent session control].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-11 SESSION LOCK
AC-11.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period of user inactivity after which the information system initiates a session lock;
(ii) the information system initiates a session lock after the organization-defined time period of inactivity or upon receiving a request from a user;
(iii) the information system retains the session lock until the user reestablishes access using established identification and authentication procedures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing session lock; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for session lock].


AC-11(1) SESSION LOCK
AC-11(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system session lock mechanism, when activated on a device with a display screen, places a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing session lock; display screen with session lock activated; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Information system session lock mechanisms].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-12 SESSION TERMINATION

[Withdrawn: Incorporated into SC-10].

AC-12.1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into SC-10].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into SC-10].



FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-13 SUPERVISION AND REVIEW — ACCESS CONTROL

[Withdrawn: Incorporated into AC-2 and AU-6].

AC-13.1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into AC-2 and AU-6].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into AC-2 and AU-6].



FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
AC-14.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies specific user actions that can be performed on the information system without identification or authentication; and
(ii) the organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing permitted actions without identification and authentication; information system configuration settings and associated documentation; security plan; list of information system actions that can be performed without identification and authentication; information system audit records; other relevant documents or records].



AC-14(1) PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
AC-14(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing permitted actions without identification and authentication; information system configuration settings and associated documentation; security plan; list of information system actions that can be performed without identification and authentication; information system audit records; other relevant documents or records].



FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-15 AUTOMATED MARKING

[Withdrawn: Incorporated into MP-3].

AC-15.1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into MP-3].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into MP-3].



FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-16 SECURITY ATTRIBUTES
AC-16.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the security attributes the information system binds to information:
(ii) the information system supports and maintains the binding of the organization-defined security attributes to information in storage, in process, and in transmission.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing the binding of security attributes to information in storage, in process, and in transmission; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms supporting and maintaining the binding of security attributes to information in storage, in process, and in transmission].


AC-16(1) SECURITY ATTRIBUTES
AC-16(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system dynamically reconfigures security attributes in accordance with an identified security policy as information is created and combined.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing the dynamic reconfiguration of security attributes; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the dynamic reconfiguration of security attributes to information].


AC-16(2) SECURITY ATTRIBUTES
AC-16(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies the entities authorized to change security attributes; and
(ii) the information system allows authorized entities to change security attributes.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing the change of security attributes; information system design documentation; information system configuration settings and associated documentation; list of entities authorized to change security attributes; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for changing security attributes].
Test: [SELECT FROM: Automated mechanisms allowing the change of security attributes].


AC-16(3) SECURITY ATTRIBUTES
AC-16(3).1 ASSESSMENT OBJECTIVE:
Determine if the information system maintains the binding of security attributes to information with sufficient assurance that the information-attribute association can be used as the basis for automated policy actions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing the binding of security attributes to information; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms maintaining the binding of security attributes to information].


AC-16(4) SECURITY ATTRIBUTES
AC-16(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies users authorized to associate security attributes with information; and
(ii) the information system allows authorized users to associate security attributes with information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing the association of security attributes to information; information system design documentation; information system configuration settings and associated documentation; list of users authorized to associate security attributes with information; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for associating security attributes with information].
Test: [SELECT FROM: Automated mechanisms allowing users to associate security attributes with information].


AC-16(5) SECURITY ATTRIBUTES
AC-16(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the set of special dissemination, handling, or distribution instructions to be used for each object output from the information system;
(ii) the organization defines standard naming conventions for the security attributes to be displayed in human-readable form on each object output from the system to system output devices; and
(iii) the information system displays security attributes in human-readable form on each object output from the system to system output devices to identify the organization-defined set of special dissemination, handling, or distribution instructions using organization-defined human readable, standard naming conventions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing display of security attributes in human-readable form; special instructions for the dissemination, handling, or distribution of object output from the information system; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: System output devices displaying security attributes in human-readable form on each object].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-17 REMOTE ACCESS
AC-17.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization documents allowed methods of remote access to the information system;
(ii) the organization establishes usage restrictions and implementation guidance for each allowed remote access method;
(iii) the organization monitors for unauthorized remote access to the information system;
(iv) the organization authorizes remote access to the information system prior to connection; and
(v) the organization enforces requirements for remote connections to the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with remote access authorization, monitoring, and control responsibilities].
Test: [SELECT FROM: Remote access methods for the information system].


AC-17(1) REMOTE ACCESS
AC-17(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to facilitate the monitoring and control of remote access methods.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for remote access].


AC-17(2) REMOTE ACCESS
AC-17(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization uses cryptography to protect the confidentiality and integrity of remote access sessions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing cryptographic protections for remote access].


AC-17(3) REMOTE ACCESS
AC-17(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines a limited number of managed access control points for remote access to the information system; and
(ii) the information system routes all remote accesses through managed access control points.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; list of managed access control points; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for remote access].


AC-17(4) REMOTE ACCESS
AC-17(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs; and
(ii) the organization documents the rationale for such access in the security plan for the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; security plan; information system audit records; other relevant documents or records].



AC-17(5) REMOTE ACCESS
AC-17(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of monitoring for unauthorized remote connections to the information system;
(ii) the organization monitors for unauthorized remote connections to the information system in accordance with the organization-defined frequency;
(iii) the organization defines the appropriate action(s) to be taken if an unauthorized connection is discovered; and
(iv) the organization takes organization-defined appropriate action(s) if an unauthorized connection is discovered.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for monitoring remote connections to the information system].


AC-17(6) REMOTE ACCESS
AC-17(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing or monitoring remote access to the information system; information system users with knowledge of information about remote access mechanisms].


AC-17(7) REMOTE ACCES
AC-17(7).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the security functions and security-relevant information that can be accessed using remote sessions;
(ii) the organization defines the additional security measures to be employed for remote sessions used to access organization-defined security functions and security-relevant information;
(iii) the organization employs organization-defined additional security measures for remote sessions used to access organization-defined security functions and security-relevant information; and
(iv) the organization audits remote sessions for accessing organization-defined security functions and security-relevant information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for remote access].


AC-17(8) REMOTE ACCESS
AC-17(8).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the networking protocols within the information system deemed to be nonsecure; and
(ii) the organization disables the organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; security plan; list of networking protocols deemed to be non-secure; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms disabling networking protocols deemed to be non-secure].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-18 WIRELESS ACCESS
AC-18.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes usage restrictions and implementation guidance for wireless access;
(ii) the organization monitors for unauthorized wireless access to the information system;
(iii) the organization authorizes wireless access to the information system prior to connection; and
(iv) the organization enforces requirements for wireless connections to the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); activities related to wireless monitoring, authorization, and enforcement; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for authorizing, monitoring or controlling the use of wireless technologies in the information system].
Test: [SELECT FROM: Wireless access usage and restrictions].


AC-18(1) WIRELESS ACCESS
AC-18(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system protects wireless access to the system using authentication and encryption.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for wireless access to the information system].


AC-18(2) WIRELESS ACCESS
AC-18(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of monitoring for unauthorized wireless connections to the information system, including scans for unauthorized wireless access points;
(ii) the organization monitors for unauthorized wireless connections to the information system, including scanning for unauthorized wireless access points, in accordance with organization-defined frequency;
(iii) the organization defines the appropriate action(s) to be taken if an unauthorized connection is discovered; and
(iv) the organization takes appropriate action(s) if an unauthorized connection discovered.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless scanning reports; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for monitoring wireless connections to the information system].
Test: [SELECT FROM: Scanning procedures for detecting unauthorized wireless connections and access points].


AC-18(3) WIRELESS ACCESS
AC-18(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization disables, when not intended for use, wireless networking capabilities internally embedded within the information system components prior to issuance and deployment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms controlling the disabling of wireless networking capabilities internally embedded within the information system components].


AC-18(4) WIRELESS ACCESS
AC-18(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization does not allow users to independently configure wireless networking capabilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms preventing independent configuration of wireless networking capabilities].


AC-18(5) WIRELESS ACCESS
AC-18(5).1 ASSESSMENT OBJECTIVE:
Determine if the organization confines wireless communications to organization-controlled boundaries.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for wireless access to the information system; Wireless connections and access points outside of organizational boundaries using scanning devices.].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-19 ACCESS CONTROL FOR MOBILE DEVICES
AC-19.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices;
(ii) the organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems;
(iii) the organization monitors for unauthorized connections of mobile devices to organizational information systems;
(iv) the organization enforces requirements for the connection of mobile devices to organizational information systems;
(v) the organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction;
(vi) the organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures;
(vii) the organization defines the inspection and preventative measures to be applied to mobile devices returning from locations that the organization deems to be of significant risk; and
(viii) the organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel who use portable and mobile devices to access the information system].
Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices].


AC-19(1) ACCESS CONTROL FOR MOBILE DEVICES
AC-19(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization restricts the use of writable, removable media in organizational information systems.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel who use portable and mobile devices to access the information system].
Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices].


AC-19(2) ACCESS CONTROL FOR MOBILE DEVICES
AC-19(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization prohibits the use of personally owned, removable media in organizational information systems.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices].


AC-19(3) ACCESS CONTROL FOR MOBILE DEVICES
AC-19(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices].


AC-19(4) ACCESS CONTROL FOR MOBILE DEVICES
AC-19(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the appropriate authorizing official(s);
(ii) the organization defines the security officials authorized to randomly review/inspect mobile devices and the information stored on those devices for classified information; and
(iii) the organization enforces the following restrictions on individuals permitted to use mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
  • connection of unclassified mobile devices to classified information systems is prohibited;
  • connection of unclassified mobile devices to unclassified information systems requires approval from the appropriate authorizing official(s);
  • use of internal or external modems or wireless interfaces within the mobile devices is prohibited; and
  • mobile devices and the information stored on those devices are subject to random reviews/inspections by organization-defined security officials, and if classified information is found, the incident handling policy is enforced.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; evidentiary documentation for random inspections of mobile devices; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for randomly reviewing/inspecting mobile devices; Organizational personnel using mobile devices in facilities containing information systems processing, storing, or transmitting classified information].
Test: [SELECT FROM: Test automated mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS
AC-20.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies individuals authorized to:
  • access the information system from the external information systems; and
  • process, store, and/or transmit organization-controlled information using the external information systems; and
(ii) the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
  • access the information system from the external information systems; and
  • process, store, and/or transmit organization-controlled information using the external information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing the use of external information systems; external information systems terms and conditions; list of types of applications accessible from external information systems; maximum security categorization for information processed, stored, or transmitted on external information systems; information system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems].



AC-20(1) USE OF EXTERNAL INFORMATION SYSTEMS
AC-20(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing the use of external information systems; security plan; information system connection or processing agreements; account management documents; other relevant documents or records].



AC-20(2) USE OF EXTERNAL INFORMATION SYSTEMS
AC-20(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing the use of external information systems; security plan; information system configuration settings and associated documentation; information system connection or processing agreements; account management documents; other relevant documents or records].



FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-21 USER-BASED COLLABORATION AND INFORMATION SHARING
AC-21.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the circumstances where user discretion is required to facilitate information sharing;
(ii) the organization facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for the organization-defined circumstances;
(iii) the organization defines the information sharing circumstances and automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions; and
(iv) the organization employs organization-defined circumstances and automated mechanisms or manual processes to assist users in making information sharing/collaboration decisions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); information system design documentation; information system configuration settings and associated documentation; list of users authorized to make information sharing/collaboration decisions; list of information sharing circumstances requiring user discretion; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for making information sharing/collaboration decisions].
Test: [SELECT FROM: Automated mechanisms or manual process implementing access authorizations supporting information sharing/user collaboration decisions].


AC-21(1) USER-BASED COLLABORATION AND INFORMATION SHARING
AC-21(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system employs automated mechanisms to enable authorized users to make information-sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); information system design documentation; information system configuration settings and associated documentation; system-generated list of users authorized to make information sharing/collaboration decisions; system-generated list of sharing partners and access authorizations; system-generated list of access restrictions regarding information to be shared; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing access authorizations supporting information sharing/user collaboration decisions].


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AC-22 PUBLICLY ACCESSIBLE CONTENT
AC-22.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization designates individuals authorized to post information onto an organizational information system that is publicly accessible;
(ii) the organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
(iii) the organization reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system;
(iv) the organization defines the frequency of reviews of the content on the publicly accessible organizational information system for nonpublic information;
(v) the organization reviews the content on the publicly accessible organizational information system for nonpublic information in accordance with the organization-defined frequency; and
(vi) the organization removes nonpublic information from the publicly accessible organizational information system, if discovered.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational information systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public websites; system audit logs; security awareness training records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for managing publicly accessible information posted on organizational information systems].



AWARENESS AND TRAINING

FAMILY: AWARENESS AND TRAINING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
AT-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents security awareness and training policy;
(ii) the organization security awareness and training policy addresses:
(iii) the organization disseminates formal documented security awareness and training policy to elements within the organization having associated security awareness and training roles and responsibilities;
(iv) the organization develops and formally documents security awareness and training procedures;
(v) the organization security awareness and training procedures facilitate implementation of the security awareness and training policy and associated security awareness and training controls; and
(vi) the organization disseminates formal documented security awareness and training procedures to elements within the organization having associated security awareness and training roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security awareness and training policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security awareness and training responsibilities].
AT-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of security awareness and training policy reviews/updates;
(ii) the organization reviews/updates security awareness and training policy in accordance with organization-defined frequency;
(iii) the organization defines the frequency of security awareness and training procedure reviews/updates; and
(iv) the organization reviews/updates security awareness and training procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security awareness and training policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security awareness and training responsibilities].


FAMILY: AWARENESS AND TRAINING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
AT-2 SECURITY AWARENESS
AT-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users and when required by system changes;
(ii) the organization defines the frequency of refresher security awareness training;
(iii) the organization provides refresher security awareness training in accordance with the organization-defined frequency;
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; appropriate codes of federal regulations; security awareness training curriculum; security awareness training materials; security plan; training records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel comprising the general information system user community].



AT-2(1) SECURITY AWARENESS
AT-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization includes practical exercises in security awareness training that simulate actual cyber attacks.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; security awareness training curriculum; security awareness training materials; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel that participate in security awareness training].


FAMILY: AWARENESS AND TRAINING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
AT-3 SECURITY TRAINING
AT-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides role-based security-related training before authorizing access to the system or performing assigned duties, and when required by system changes;
(ii) the organization defines the frequency of refresher role-based security-related training;
(iii) the organization provides refresher role-based security-related training in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training implementation; codes of federal regulations; security training curriculum; security training materials; security plan; training records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for role-based, security-related training; organizational personnel with significant information system security responsibilities].



AT-3(1) SECURITY TRAINING
AT-3(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides employees with initial training in the employment and operation of environment controls;
(ii) the organization defines the frequency of refresher training in the employment and operation of environmental controls; and
(iii) the organization provides refresher training in the employment and operation of environmental controls in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training implementation; security training curriculum; security training materials; security plan; training records; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with security training responsibilities; organizational personnel with significant information system security responsibilities].


AT-3(2) SECURITY TRAINING
AT-3(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides employees with initial training in the employment and operation of physical security controls;
(ii) the organization defines the frequency of refresher training in the employment and operation of physical security controls; and
(iii) the organization provides refresher training in the employment and operation of physical security controls in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training implementation; codes of federal regulations; security training curriculum; security training materials; security plan; training records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security training responsibilities; organizational personnel with significant information system security responsibilities].


FAMILY: AWARENESS AND TRAINING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
AT-4 SECURITY TRAINING RECORDS
AT-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization documents and monitors individual information system security training activities including basic security awareness training and specific information system security training;
(ii) the organization defines the time period for retaining individual training records; and
(iii) the organization retains individual training records in accordance with the organization-defined time period.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training records; security awareness and training records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security training record retention responsibilities].



FAMILY: AWARENESS AND TRAINING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
AT-5 CONTACTS WITH SECURITY GROUPS AND ASSOCIATION
AT-5.1 ASSESSMENT OBJECTIVE:
Determine if the organization establishes and institutionalizes contact with selected groups and associations within the security community:
  • to facilitate ongoing security education and training for organizational personnel;
  • to stay up to date with the latest recommended security practices, techniques, and technologies; and
  • to share current security-related information including threats, vulnerabilities, and incidents.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing contacts with security groups and associations; list of organization-defined key contacts to obtain ongoing information system security knowledge, expertise, and general information; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security responsibilities (e.g., individuals that have contacts with selected groups and associations within the security community)].



AUDIT AND ACCOUNTABILITY

FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES
AU-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents audit and accountability policy;
(ii) the organization audit and accountability policy addresses:
(iii) the organization disseminates formal documented audit and accountability policy to elements within the organization having associated audit and accountability roles and responsibilities;
(iv) the organization develops and formally documents audit and accountability procedures;
(v) the organization audit and accountability procedures facilitate implementation of the audit and accountability policy and associated audit and accountability controls; and
(vi) the organization disseminates formal documented audit and accountability procedures to elements within the organization having associated audit and accountability roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with audit and accountability responsibilities].
AU-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of audit and accountability policy reviews/updates;
(ii) the organization reviews/updates audit and accountability policy in accordance with organization-defined frequency;
(iii) the organization defines the frequency of audit and accountability procedure reviews/updates; and
(iv) the organization reviews/updates audit and accountability procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with audit and accountability responsibilities].


FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-2 AUDITABLE EVENTS
AU-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the list of events the information system must be capable of auditing;
(ii) the organization determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing the organization-defined list of auditable events;
(iii) the organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and help guide the selection of auditable events;
(iv) the organization provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;
(v) the organization defines the subset of auditable events defined in (i) that are to be audited within the information system and the frequency of (or situation requiring) auditing for each identified event; and
(vi) the organization determines, based on current threat information and ongoing assessment of risk, the subset of auditable events defined in (i) to be audited within the information system, and the frequency of (or situation requiring) auditing for each identified event .
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; security plan; information system configuration settings and associated documentation; information system audit records; list of information system auditable events; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].
Test: [SELECT FROM: Automated mechanisms implementing information system auditing of organization-defined auditable events].


AU-2(1) AUDITABLE EVENTS

[Withdrawn: Incorporated into AU-12].

AU-2(1).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into AU-12].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into AU-12].


AU-2(2) AUDITABLE EVENTS

[Withdrawn: Incorporated into AU-12].

AU-2(2).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into AU-12].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into AU-12].


AU-2(3) AUDITABLE EVENTS
AU-2(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of reviews and updates to the list of organization-defined auditable events; and
(ii) the organization reviews and updates the list of organization-defined auditable events in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; security plan; list of organization-defined auditable events; auditable events review and update records; information system audit records; information system incident reports; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].


AU-2(4) AUDITABLE EVENTS
AU-2(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization includes execution of privileged functions in the list of events to be audited by the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; information system configuration settings and associated documentation; list of organization-defined auditable events; list of privileged security functions; other relevant documents or records].



FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-3 CONTENT OF AUDIT RECORDS
AU-3.1 ASSESSMENT OBJECTIVE:
Determine if the information system produces audit records that contain sufficient information to, at a minimum, establish:
  • what type of event occurred;
  • when (date and time) the event occurred;
  • where the event occurred;
  • the source of the event;
  • the outcome (success or failure) of the event; and
  • the identity of any user/subject associated with the event.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; list of organization-defined auditable events; information system audit records; information system incident reports; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information system auditing of auditable events].


AU-3(1) CONTENT OF AUDIT RECORDS
AU-3(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the additional, more detailed information to be included in audit records for audit events identified by type, location, or subject; and
(ii) the information system includes the organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; list of organization-defined auditable events; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Information system audit capability to include more detailed information in audit records for audit events identified by type, location, or subject].


AU-3(2) CONTENT OF AUDIT RECORDS
AU-3(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the information system components for which the content of audit records generated is centrally managed; and
(ii) the organization centrally manages the content of audit records generated by organization-defined information system components.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; information system design documentation; list of organization-defined auditable events; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing centralized management of audit record content].


FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-4 AUDIT STORAGE CAPACITY
AU-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization allocates audit record storage capacity; and
(ii) the organization configures auditing to reduce the likelihood of audit record storage capacity being exceeded.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit storage capacity; information system design documentation; organization-defined audit record storage capacity for information system components that store audit records; list of organization-defined auditable events; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Audit record storage capacity and related configuration settings].


FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-5 RESPONSE TO AUDIT PROCESSING FAILURES
AU-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines designated organizational officials to be alerted in the event of an audit processing failure;
(ii) the information system alerts designated organizational officials in the event of an audit processing failure;
(iii) the organization defines additional actions to be taken in the event of an audit processing failure; and
(iv) the information system takes the additional organization-defined actions in the event of an audit processing failure.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; list of personnel to be notified in case of an audit processing failure; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information system response to audit processing failures].


AU-5(1) RESPONSE TO AUDIT PROCESSING FAILURES
AU-5(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the percentage of maximum audit record storage capacity that, if reached, requires a warning to be provided; and
(ii) the information system provides a warning when the allocated audit record storage volume reaches the organization-defined percentage of maximum audit record storage capacity.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing audit storage limit warnings].


AU-5(2) RESPONSE TO AUDIT PROCESSING FAILURES
AU-5(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines audit failure events requiring real-time alerts; and
(ii) the information system provides a real-time alert when organization-defined audit failure events occur.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing real time audit alerts when organization-defined audit failure events occur].


AU-5(3) RESPONSE TO AUDIT PROCESSING FAILURES
AU-5(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the information system enforces configurable traffic volume thresholds representing auditing capacity for network traffic;
(ii) the organization defines if the network traffic above configurable traffic volume thresholds are rejected or delayed; and
(iii) the information system rejects or delays, as defined by the organization, network traffic generated above configurable traffic volume thresholds.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Information system capability implementing configurable traffic volume thresholds].


AU-5(4) RESPONSE TO AUDIT PROCESSING FAILURES
AU-5(4).1 ASSESSMENT OBJECTIVE:
Determine if the information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Information system capability invoking system shutdown in the event of an audit failure].


FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of information system audit record reviews and analyses;
(ii) the organization reviews and analyzes information system audit records for indications of inappropriate or unusual activity in accordance with the organization-defined frequency; and
(iii) the organization report findings of inappropriate/unusual activities, to designated organizational officials.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].
Test: [SELECT FROM: Information system audit review, analysis, and reporting capability].
AU-6.2 ASSESSMENT OBJECTIVE:
Determine if the organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information , intelligence information, or other credible sources of information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; threat information documentation from law enforcement, intelligence community, or other sources; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].


AU-6(1) AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-6(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; procedures for investigating and responding to suspicious activities; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].
Test: [SELECT FROM: Information system capability integrating audit review, analysis, and reporting into an organizational process for investigation and response to suspicious activities].


AU-6(2) AUDIT REVIEW, ANALYSIS, AND REPORTING

[Withdrawn: Incorporated into SI-4].

AU-6(2).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into SI-4].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into SI-4].


AU-6(3) AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-6(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; information system audit records across different repositories; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].


AU-6(4) AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-6(4).1 ASSESSMENT OBJECTIVE:
Determine if the information system centralizes the review and analysis of audit records from multiple components within the system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; security plan; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].
Test: [SELECT FROM: Information system capability for centralizing review and analysis of audit records from multiple information system components].


AU-6(5) AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-6(5).1 ASSESSMENT OBJECTIVE:
Determine if the organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, and network monitoring information to enhance the ability to identify inappropriate or unusual activity.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; integrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Information system capability for centralizing review and analysis of audit records from multiple information system components].


AU-6(6) AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-6(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization correlates information from audit records with information obtained from monitoring physical access to enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; documentation providing evidence of correlated information obtained from audit records and physical access monitoring records; security plan; other relevant documents or records].
Test: [SELECT FROM: Information system capability for centralizing review and analysis of audit records from multiple information system components].


AU-6(7) AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-6(7).1 ASSESSMENT OBJECTIVE:
Determine if the organization specifies the permitted actions for each authorized information system process, role, and/or user in the audit and accountability policy.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; security plan; other relevant documents or records].



AU-6(8) AUDIT REVIEW, ANALYSIS, AND REPORTING

[Withdrawn: Incorporated into SI-4].

AU-6(8).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into SI-4].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into SI-4].


AU-6(9) AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-6(9).1 ASSESSMENT OBJECTIVE:
Determine if the organization performs full-text analysis of privileged functions executed in a physically dedicated information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].


FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-7 AUDIT REDUCTION AND REPORT GENERATION
AU-7.1 ASSESSMENT OBJECTIVE:
Determine if the information system provides an audit reduction and report generation capability.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit reduction and report generation; information system design documentation; audit reduction, review, and reporting tools; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit review, analysis, and reporting responsibilities].
Test: [SELECT FROM: Audit reduction and report generation capability].


AU-7(1) AUDIT REDUCTION AND REPORT GENERATION
AU-7(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system provides the capability to automatically process audit records for events of interest based on selectable event criteria.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit reduction and report generation; information system design documentation; information system configuration settings and associated documentation; documented criteria for selectable events to audit; audit reduction, review, and reporting tools; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Audit reduction and report generation capability].


FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-8 TIME STAMPS
AU-8.1 ASSESSMENT OBJECTIVE:
Determine if the information system uses internal system clocks to generate time stamps for audit records.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing time stamp generation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing time stamp generation].


AU-8(1) TIME STAMPS
AU-8(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of internal clock synchronization for the information system;
(ii) the organization defines the authoritative time source for internal clock synchronization; and
(iii) the organization synchronizes internal information system clocks with the organization-defined authoritative time source in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing time stamp generation; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing internal information system clock synchronization].


FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-9 PROTECTION OF AUDIT INFORMATION
AU-9.1 ASSESSMENT OBJECTIVE:
Determine if the information system protects audit information and audit tools from unauthorized:
  • access;
  • modification; and
  • deletion.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation, information system audit records; audit tools; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing audit information protection].


AU-9(1) PROTECTION OF AUDIT INFORMATION
AU-9(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system produces audit records on hardware-enforced, write-once media.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system hardware settings; information system configuration settings and associated documentation, information system audit records; other relevant documents or records].
Test: [SELECT FROM: Media storage devices to hold audit records].


AU-9(2) PROTECTION OF AUDIT INFORMATION
AU-9(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the system or media for storing back up audit records that is a different system or media than the system being audited;
(ii) the organization defines the frequency of information system backups of audit records; and
(iii) the information system backs up audit records, in accordance with the organization-defined frequency, onto organization-defined system or media.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; security plan; information system design documentation; information system configuration settings and associated documentation, system or media storing backups of information system audit records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].


AU-9(3) PROTECTION OF AUDIT INFORMATION
AU-9(3).1 ASSESSMENT OBJECTIVE:
Determine if the information system uses cryptographic mechanisms to protect the integrity of audit information and audit tools.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system hardware settings; information system configuration settings and associated documentation, information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].


AU-9(4) PROTECTION OF AUDIT INFORMATION
AU-9(4).1 ASSESSMENT OBJECTIVE:
Determine if :
(i) the organization authorizes access to management of audit functionality to only a limited subset of privileged users; and
(ii) the organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation, information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities].


FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-10 NON-REPUDIATION
AU-10.1 ASSESSMENT OBJECTIVE:
Determine if the information system protects against an individual falsely denying having performed a particular action.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability].


AU-10(1) NON-REPUDIATION
AU-10(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system associates the identity of the information producer with the information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability].


AU-10(2) NON-REPUDIATION
AU-10(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system validates the binding of the information producer's identity to the information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability].


AU-10(3) NON-REPUDIATION
AU-10(3).1 ASSESSMENT OBJECTIVE:
Determine if the information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability].


AU-10(4) NON-REPUDIATION
AU-10(4).1 ASSESSMENT OBJECTIVE:
Determine if the information system validates the binding of the reviewer's identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability].


AU-10(5) NON-REPUDIATION
AU-10(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines whether FIPS-validated or NSA-approved cryptography is employed to implement digital signatures; and
(ii) the organization employs the organization-defined cryptography to implement digital signatures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Cryptographic mechanisms implementing digital signature capability within the information system].


FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-11 AUDIT RECORD RETENTION
AU-11.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the retention period for audit records;
(ii) the retention period for audit records is consistent with the records retention policy; and
(iii) the organization retains audit records for the organization-defined time period consistent with the records retention policy to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record retention; security plan; organization-defined retention period for audit records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit record retention responsibilities].



FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-12 AUDIT GENERATION
AU-12.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the information system components that provide audit record generation capability for the list of auditable events defined in AU-2;
(ii) the information system provides audit record generation capability, at organization-defined information system components, for the list of auditable events defined in AU-2;
(iii) the information system allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and
(iv) the information system generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3..
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; security plan; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system audit record generation responsibilities].
Test: [SELECT FROM: Automated mechanisms implementing audit record generation capability].


AU-12(1) AUDIT GENERATION
AU-12(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the information system produces a system-wide (logical or physical) audit trail of information system audit records;
(ii) the organization defines the information system components from which audit records are to be compiled into the system-wide audit trail;
(iii) the information system compiles audit records from organization-defined information system components into the system-wide audit trail;
(iv) the organization defines the acceptable level of tolerance for relationship between time stamps of individual records in the system-wide audit trail; and
(v) the system-wide audit trail is time-correlated to within the organization-defined level of tolerance to achieve a time ordering of audit records.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing audit record generation capability].


AU-12(2) AUDIT GENERATION
AU-12(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing audit record generation capability].


FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-13 MONITORING FOR INFORMATION DISCLOSURE
AU-13.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of monitoring open source information for evidence of unauthorized exfiltration or disclosure of organization information; and
(ii) the organization monitors open source information for evidence of unauthorized exfiltration or disclosure of organizational information in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing information disclosure monitoring; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for monitoring open source information for evidence of unauthorized exfiltration or disclosure].



FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL


ASSESSMENT PROCEDURE
AU-14 SESSION AUDIT
AU-14.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the information system provides the capability to capture/record and log all content related to a user session; and
(ii) the information system provides the capability to remotely view/hear all content related to an established user session in real time.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing user session auditing; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing user session auditing capability].


AU-14(1) SESSION AUDIT
AU-14(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system initiates session audits at system start-up
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing user session auditing; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing user session auditing capability].


SECURITY ASSESSMENT AND AUTHORIZATION

FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICIES AND PROCEDURES
CA-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents security assessment and authorization policy;
(ii) the organization security assessment and authorization policy addresses:
(iii) the organization disseminates formal documented security assessment and authorization policy to elements within the organization having associated security assessment and authorization roles and responsibilities;
(iv) the organization develops and formally documents security assessment and authorization procedures;
(v) the organization security assessment and authorization procedures facilitate implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
(vi) the organization disseminates formal documented security assessment and authorization procedures to elements within the organization having associated security assessment and authorization roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policies and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security assessment and authorization responsibilities].
CA-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of security assessment and authorization policy reviews/updates;
(ii) the organization reviews/updates security assessment and authorization policy in accordance with organization-defined frequency;
(iii) the organization defines the frequency of security assessment and authorization procedure reviews/updates; and
(iv) the organization reviews/updates security assessment and authorization procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policies and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security assessment and authorization responsibilities].


FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
CA-2 SECURITY ASSESSMENTS
CA-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops a security assessment plan for the information system; and
(ii) the security assessment plan describes the scope of the assessment including:
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessments; security assessment plan; other relevant documents or records].


CA-2.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of assessing the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;
(ii) the organization assesses the security controls in the information system at the organization-defined frequency;
(iii) the organization produces a security assessment report that documents the results of the security control assessment; and
(iv) the results of the security control assessment are provided, in writing, to the authorizing official or authorizing official designated representative.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessments; security plan; security assessment plan; security assessment report; security assessment evidence; plan of action and milestones; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security assessment responsibilities].


CA-2(1) SECURITY ASSESSMENTS
CA-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs an independent assessor or assessment team to conduct an assessment of the security controls in the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessments; security authorization package (including security plan, security assessment report, plan of action and milestones, authorization statement); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security assessment responsibilities].


CA-2(2) SECURITY ASSESSMENTS
CA-2(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines:
(ii) the organization conducts security control assessments using organization-defined forms of testing in accordance with organization-defined frequency and assessment techniques established for each form of testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessments; security plan; security assessment plan; security assessment report; assessment evidence; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security assessment responsibilities].


FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
CA-3 INFORMATION SYSTEM CONNECTIONS
CA-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies connections to external information systems (i.e., information systems outside of the authorization boundary);
(ii) the organization authorizes connections from the information system to external information systems through the use of Interconnection Security Agreements;
(iii) the organization documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and
(iv) the organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information system connections; system and communications protection policy; information system interconnection security agreements; security plan; information system design documentation; security assessment report; plan of action and milestones; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements].



CA-3(1) INFORMATION SYSTEM CONNECTIONS
CA-3(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization prohibits the direct connection of an unclassified, national security system to an external network.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information system connections; system and communications protection policy; information system interconnection security agreements; security plan; information system design documentation; security assessment report; plan of action and milestones; other relevant documents or records].



CA-3(2) INFORMATION SYSTEM CONNECTIONS
CA-3(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization prohibits the direct connection of a classified, national security system to an external network.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing information system connections; system and communications protection policy; information system interconnection agreements; security plan; information system design documentation;; security assessment report; plan of action and milestones; other relevant documents or records].



FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
CA-4 SECURITY CERTIFICATION

[Withdrawn: Incorporated into CA-2].

CA-4.1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into CA-2].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into CA-2].



CA-4(1) SECURITY CERTIFICATION

[Withdrawn: Incorporated into CA-2].

CA-4(1).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into CA-2].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into CA-2].


FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
CA-5 PLAN OF ACTION AND MILESTONES
CA-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops a plan of action and milestones for the information system;
(ii) the plan of action and milestones documents the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system;
(iii) the organization defines the frequency of plan of action and milestone updates; and
(iv) the organization updates the plan of action and milestones at an organization-defined frequency with findings from:
  • security controls assessments;
  • security impact analyses; and
  • continuous monitoring activities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing plan of action and milestones; security plan; security assessment plan; security assessment report; assessment evidence; plan of action and milestones; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with plan of action and milestones development and implementation responsibilities].



CA-5(1) PLAN OF ACTION AND MILESTONES
CA-5(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is:
  • accurate;
  • up to date; and
  • readily available.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing plan of action and milestones; information system design documentation, information system configuration settings and associated documentation; plan of action and milestones; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with plan of action and milestones development and implementation responsibilities].
Test: [SELECT FROM: Automated mechanisms for developing, implementing and maintaining plan of action and milestones].


FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
CA-6 SECURITY AUTHORIZATION
CA-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization assigns a senior-level executive or manager to the role of authorizing official for the information system;
(ii) the authorizing official authorizes the information system for processing before commencing operations;
(iii) the organization defines the frequency of security authorization updates; and
(iv) the organization updates the security authorization in accordance with an organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security authorization; security authorization package (including security plan; security assessment report; plan of action and milestones; authorization statement); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security authorization responsibilities].



FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
CA-7 CONTINUOUS MONITORING
CA-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes a continuous monitoring strategy and program;
(ii) the organization defines the frequency for reporting the security state of the information system to appropriate organizational officials;
(iii) the organization defines organizational officials to whom the security state of the information system should be reported; and
(iv) the organization implements a continuous monitoring program that includes:
  • a configuration management process for the information system and its constituent components;
  • a determination of the security impact of changes to the information system and environment of operation;
  • ongoing security control assessments in accordance with the organizational continuous monitoring strategy; and
  • reporting the security state of the information system to appropriate organizational officials in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing continuous monitoring of information system security controls; procedures addressing configuration management; security plan; security assessment report; plan of action and milestones; information system monitoring records; configuration management records, security impact analyses; status reports; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with continuous monitoring responsibilities; organizational personnel with configuration management responsibilities].



CA-7(1) CONTINUOUS MONITORING
CA-7(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs an independent assessor or assessment team to monitor the security controls in the information system on an ongoing basis.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing continuous monitoring of information system security controls; security plan; security assessment report; plan of action and milestones; information system monitoring records; security impact analyses; status reports; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with continuous monitoring responsibilities].


CA-7(2) CONTINUOUS MONITORING
CA-7(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines:
(ii) the organization plans, schedules, and conducts assessments using organization-defined forms of security testing in accordance with the organization-defined frequency and assessment techniques established for each form of testing to ensure compliance with all vulnerability mitigation procedures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing continuous monitoring of information system security controls; procedures addressing vulnerability mitigation; security plan; security assessment report; plan of action and milestones; information system monitoring records; security impact analyses; status reports; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with continuous monitoring responsibilities].


CONFIGURATION MANAGEMENT

FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
CM-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents configuration management policy;
(ii) the organization configuration management policy addresses:
(iii) the organization disseminates formal documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities;
(iv) the organization develops and formally documents configuration management procedures;
(v) the organization configuration management procedures facilitate implementation of the configuration management policy and associated configuration management controls; and
(vi) the organization disseminates formal documented configuration management procedures to elements within the organization having associated configuration management roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities].
CM-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of configuration management policy reviews/updates;
(ii) the organization reviews/updates configuration management policy in accordance with organization-defined frequency;
(iii) the organization defines the frequency of configuration management procedure reviews/updates; and
(iv) the organization reviews/updates configuration management procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities].


FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CM-2 BASELINE CONFIGURATION
CM-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and documents a baseline configuration of the information system and
(ii) the organization maintains, under configuration control, a current baseline configuration of the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; enterprise architecture documentation; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].



CM-2(1) BASELINE CONFIGURATION
CM-2(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines:
(ii) the organization reviews and updates the baseline configuration of the information system
  • in accordance with the organization-defined frequency;
  • when required due to organization-defined circumstances; and
  • as an integral part of information system component installations and upgrades.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system architecture and configuration documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].


CM-2(2) BASELINE CONFIGURATION
CM-2(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing baseline configuration maintenance].


CM-2(3) BASELINE CONFIGURATION
CM-2(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization retains older versions of baseline configurations as deemed necessary to support rollback.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system architecture and configuration documentation; historical copies of baseline configurations; other relevant documents or records].



CM-2(4) BASELINE CONFIGURATION
CM-2(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and maintains a list of software programs not authorized to execute on the information system; and
(ii) the organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; list of software programs not authorized to execute on the information system; information system architecture and configuration documentation; security plan; other relevant documents or records].



CM-2(5) BASELINE CONFIGURATION
CM-2(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and maintains a list of software programs authorized to execute on the information system; and
(ii) the organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; list of software authorized to execute on the information system; information system architecture and configuration documentation; security plan; other relevant documents or records].



CM-2(6) BASELINE CONFIGURATION
CM-2(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization maintains a baseline configuration for development and test environments that is managed separately from the operational baseline configuration.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing baseline configuration environments].


FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CM-3 CONFIGURATION CHANGE CONTROL
CM-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization determines the types of changes to the information system that are configuration controlled;
(ii) the organization approves configuration-controlled changes to the system with explicit consideration for security impact analyses;
(iii) the organization documents approved configuration-controlled changes to the system;
(iv) the organization retains and reviews records of configuration-controlled changes to the system;
(v) the organization audits activities associated with configuration-controlled changes to the system;
(vi) the organization defines:
  • the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;
  • the frequency with which the configuration change control element convenes; and/or;
  • configuration change conditions that prompt the configuration change control element to convene.
(vii) the organization coordinates and provides oversight for configuration change control activities through the organization-defined configuration change control element that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system architecture and configuration documentation; security plan; change control records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].



CM-3(1) CONFIGURATION CHANGE CONTROL
CM-3(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period after which approvals that have not been received for proposed changes to the information system are highlighted; and
(ii) the organization employs automated mechanisms to:
  • document proposed changes to the information system;
  • notify designated approval authorities;
  • highlight approvals that have not been received by the organization-defined time period;
  • inhibit change until designated approvals are received; and
  • document completed changes to the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system design documentation; information system architecture and configuration documentation; automated configuration control mechanisms; change control records; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing configuration change control].


CM-3(2) CONFIGURATION CHANGE CONTROL
CM-3(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].


CM-3(3) CONFIGURATION CHANGE CONTROL
CM-3(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs automated mechanisms to implement changes to the current information system baseline; and
(ii) the organization deploys the updated baseline across the installed base.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system design documentation; information system architecture and configuration documentation; automated configuration control mechanisms; change control records; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing changes to the information system baseline].


CM-3(4) CONFIGURATION CHANGE CONTROL
CM-3(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires an information security representative to be a member of the configuration change control element as defined by the organization in CM-3.1 (vi).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].


FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CM-4 SECURITY IMPACT ANALYSIS
CM-4.1 ASSESSMENT OBJECTIVE:
Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing security impact analysis for changes to the information system; security impact analysis documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes].



CM-4(1) SECURITY IMPACT ANALYSIS
CM-4(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization analyzes new software in a separate test environment before installation in an operational environment; and
(ii) the organization, when analyzing new software in a separate test environment, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing security impact analysis for changes to the information system; security impact analysis documentation; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; information system test and operational environments; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes].


CM-4(2) SECURITY IMPACT ANALYSIS
CM-4(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization, after the information system is changed, checks the security functions to verify that the functions are:
  • implemented correctly;
  • operating as intended; and
  • producing the desired outcome with regard to meeting the security requirements for the system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing security impact analysis for changes to the information system; security impact analysis documentation; change control records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes].


FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CM-5 ACCESS RESTRICTIONS FOR CHANGE
CM-5.1 ASSESSMENT OBJECTIVE:
Determine if the organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with logical access control responsibilities; organizational personnel with physical access control responsibilities].
Test: [SELECT FROM: Change control process and associated restrictions for changes to the information system].


CM-5(1) ACCESS RESTRICTIONS FOR CHANGE
CM-5(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing access restrictions for changes to the information system].


CM-5(2) ACCESS RESTRICTIONS FOR CHANGE
CM-5(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency for conducting audits of information system changes; and
(ii) the organization conducts audits of information system changes in accordance with the organization-defined frequency and when indications so warrant to determine whether unauthorized changes have occurred.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; security plan; change control records; information system audit records; other relevant documents or records].



CM-5(3) ACCESS RESTRICTIONS FOR CHANGE
CM-5(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines critical software programs that the information system will prevent from being installed if such software programs are not signed with a recognized and approved certificate; and
(ii) the information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; list of critical software programs to be prohibited from installation without an approved certificate; information system design documentation; information system architecture and configuration documentation; security plan; change control records; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Information system mechanisms preventing installation of software programs not signed with an organization-approved certificate].


CM-5(4) ACCESS RESTRICTIONS FOR CHANGE
CM-5(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines information system components and system-level information requiring enforcement of a two-person rule for information system changes; and
(ii) the organization enforces a two-person rule for changes to organization-defined information system components and system-level information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; security plan; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for enforcing a two-person rule for system changes].


CM-5(5) ACCESS RESTRICTIONS FOR CHANGE
CM-5(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization limits information system developer/integrator privileges to change hardware, software, and firmware components and system information directly within a production environment;
(ii) the organization defines the frequency for reviews and reevaluations of information system developer/integrator privileges; and
(iii) the organization reviews and reevaluates information system developer/integrator privileges in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; security plan; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with logical access control responsibilities; organizational personnel with physical access control responsibilities].


CM-5(6) ACCESS RESTRICTIONS FOR CHANGE
CM-5(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization limits privileges to change software resident within software libraries (including privileged programs).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].



CM-5(7) ACCESS RESTRICTIONS FOR CHANGE
CM-5(7).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines safeguards and countermeasures to be employed by the information system if security functions (or mechanisms) are changed inappropriately; and
(ii) the information system automatically implements organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Information system implementing safeguards and countermeasures for inappropriate changes to security functions].


FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CM-6 CONFIGURATION SETTINGS
CM-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines security configuration checklists to be used to establish and document mandatory configuration settings for the information system technology products employed;
(ii) the organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;
(iii) the organization establishes and documents mandatory configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;
(iv) the organization implements the security configuration settings;
(v) the organization identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and
(vi) the organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities].



CM-6(1) CONFIGURATION SETTINGS
CM-6(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to centrally manage, apply, and verify configuration settings.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the centralized management, application, and verification of configuration settings].


CM-6(2) CONFIGURATION SETTINGS
CM-6(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines configuration settings that, if modified by unauthorized changes, initiate the automated mechanisms to be employed to respond to such changes; and
(ii) the organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; security plan; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing responses to unauthorized changes to configuration settings].


CM-6(3) CONFIGURATION SETTINGS
CM-6(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization incorporates detection of unauthorized, security-relevant configuration changes into the organization's incident response capability; and
(ii) the organization ensures that such detected events are tracked, monitored, corrected, and available for historical purposes.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; procedures addressing incident response planning; information system design documentation; information system configuration settings and associated documentation; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities; organization personnel with incident response planning responsibilities].


CM-6(4) CONFIGURATION SETTINGS
CM-6(4).1 ASSESSMENT OBJECTIVE:
Determine if the information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists), prior to being introduced into a production environment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities].


FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CM-7 LEAST FUNCTIONALITY
CM-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines for the information system prohibited or restricted:
  • functions;
  • ports;
  • protocols; and
  • services;
(ii) the organization configures the information system to provide only essential capabilities; and
(iii) the organization configures the information system to specifically prohibit or restrict the use of organization-defined:
  • functions;
  • ports;
  • protocols; and/or
  • services.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].
Test: [SELECT FROM: Information system for disabling or restricting functions, ports, protocols, and services].


CM-7(1) LEAST FUNCTIONALITY
CM-7(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of information system reviews to identify and eliminate unnecessary:
  • functions;
  • ports;
  • protocols; and/or
  • services; and
(ii) the organization reviews the information system in accordance with organization-defined frequency to identify and eliminate unnecessary:
  • functions;
  • ports;
  • protocols; and/or
  • services.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for identifying and eliminating unnecessary functions, ports, protocols, and services on the information system].


CM-7(2) LEAST FUNCTIONALITY
CM-7(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and maintains one or more of the following specifications to prevent software program execution on the information system:
  • a list of software programs authorized to execute on the information system;
  • a list of software programs not authorized to execute on the information system; and/or
  • rules authorizing the terms and conditions of software program usage on the information system; and
(ii) the organization employs automated mechanisms to prevent software program execution on the information system in accordance with the organization-defined specifications.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system design documentation; specification of preventing software program execution; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms preventing software program execution on the information system].


CM-7(3) LEAST FUNCTIONALITY
CM-7(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines registration requirements for:
  • ports;
  • protocols; and
  • services; and
(ii) the organization ensures compliance with organization-defined registration requirements for:
  • ports;
  • protocols; and
  • services.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; other relevant documents or records].



FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
CM-8.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines information deemed necessary to achieve effective property accountability; and
(ii) the organization develops, documents, and maintains an inventory of information system components that:
  • accurately reflects the current information system;
  • is consistent with the authorization boundary of the information system;
  • is at the level of granularity deemed necessary for tracking and reporting;
  • includes organization-defined information deemed necessary to achieve effective property accountability; and
  • is available for review and audit by designated organizational officials.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system inventory records; other relevant documents or records].



CM-8(1) INFORMATION SYSTEM COMPONENT INVENTORY
CM-8(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization updates the inventory of information system components as an integral part of component:
  • installations;
  • removals; and
  • information system updates.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system inventory records; component installation records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system installation and inventory responsibilities].


CM-8(2) INFORMATION SYSTEM COMPONENT INVENTORY
CM-8(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available inventory of information system components.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system design documentation; information system inventory records; component installation records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing information system component inventory management].


CM-8(3) INFORMATION SYSTEM COMPONENT INVENTORY
CM-8(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of employing automated mechanisms to detect the addition of unauthorized components/devices into the information system;
(ii) the organization employs automated mechanisms, in accordance with the organization-defined frequency, to detect the addition of unauthorized components/devices into the information system; and
(iii) the organization disables network access by such components/devices or notifies designated organizational officials.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system design documentation; information system inventory records; component installation records; change control records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms for detecting unauthorized components/devices on the information system].


CM-8(4) INFORMATION SYSTEM COMPONENT INVENTORY
CM-8(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization includes in property accountability information for information system components, a means for identifying by name, position, or role, individuals responsible for administering those components.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system inventory records; component installation records; other relevant documents or records].



CM-8(5) INFORMATION SYSTEM COMPONENT INVENTORY
CM-8(5).1 ASSESSMENT OBJECTIVE:
Determine if the organization verifies that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system inventory records; component installation records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system inventory responsibilities; organizational personnel with responsibilities for defining information system components within the authorization boundary of the system].


CM-8(6) INFORMATION SYSTEM COMPONENT INVENTORY
CM-8(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system design documentation; information system inventory records; component installation records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with inventory management and assessment responsibilities for information system components].


FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CM-9 CONFIGURATION MANAGEMENT PLAN
CM-9.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops, documents, and implements a configuration management plan for the information system that:
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration management planning; security plan; other relevant documents or records].



CM-9(1) CONFIGURATION MANAGEMENT PLAN
CM-9(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing responsibilities for configuration management process development; security plan other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for configuration management process development].


CONTINGENCY PLANNING

FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES
CP-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents contingency planning policy;
(ii) the organization contingency planning policy addresses:
(iii) the organization disseminates formal documented contingency planning policy to elements within the organization having associated contingency planning roles and responsibilities;
(iv) the organization develops and formally documents contingency planning procedures;
(v) the organization contingency planning procedures facilitate implementation of the contingency planning policy and associated contingency planning controls; and
(vi) the organization disseminates formal documented contingency planning procedures to elements within the organization having associated contingency planning roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning responsibilities].
CP-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of contingency planning policy reviews/updates;
(ii) the organization reviews/updates contingency planning policy in accordance with organization-defined frequency;
(iii) the organization defines the frequency of contingency planning procedure reviews/updates; and
(iv) the organization reviews/updates contingency planning procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning responsibilities].


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-2 CONTINGENCY PLAN
CP-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops a contingency plan for the information system that:
  • identifies essential missions and business functions and associated contingency requirements;
  • provides recovery objectives, restoration priorities, and metrics;
  • addresses contingency roles, responsibilities, assigned individuals with contact information;
  • addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; and
  • addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented; and
  • is reviewed and approved by designated officials within the organization;
(ii) the organization defines key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan; and
(iii) the organization distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].
CP-2.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization coordinates contingency planning activities with incident handling activities:
(ii) the organization defines the frequency of contingency plan reviews;
(iii) the organization reviews the contingency plan for the information system in accordance with the organization-defined frequency;
(iv) the organization revises the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution or testing; and
(v) the organization communicates contingency plan changes to the key contingency personnel and organizational elements as identified in CP-2.1 (ii).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with incident handling responsibilities].


CP-2(1) CONTINGENCY PLAN
CP-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization coordinates the contingency plan development with other organizational elements responsible for related plans.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; other related plans; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities and responsibilities in related plan areas].


CP-2(2) CONTINGENCY PLAN
CP-2(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; capacity planning documents; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].


CP-2(3) CONTINGENCY PLAN
CP-2(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period for planning the resumption of essential missions and business functions as a result of contingency plan activation; and
(ii) the organization plans for the resumption of essential missions and business function within organization-defined time period of contingency plan activation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; business impact assessment; other related plans; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].


CP-2(4) CONTINGENCY PLAN
CP-2(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period for planning the full resumption of affected missions and business functions as a result of contingency plan activation; and
(ii) the organization plans for the full resumption of affected missions and business functions within organization-defined time period of contingency plan activation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; security plan; business impact assessment; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].


CP-2(5) CONTINGENCY PLAN
CP-2(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity; and
(ii) the organization sustains operational continuity until full information system restoration at primary processing and/or storage sites.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; business impact assessment; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].


CP-2(6) CONTINGENCY PLAN
CP-2(6).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides for the transfer of all essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity; and
(ii) the organization sustains operational continuity through restoration to primary processing and/or storage sites.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; alternate processing site agreements; alternate storage site agreements; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities].


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-3 CONTINGENCY TRAINING
CP-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides initial contingency training to personnel with contingency roles and responsibilities with respect to the information system;
(ii) the organization defines the frequency of refresher contingency training; and
(iii) the organization provides refresher training in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; security plan; contingency training records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].



CP-3(1) CONTINGENCY TRAINING
CP-3(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization incorporates simulated events into contingency training; and
(ii) the incorporation of simulated events into contingency training facilitates effective response by personnel in crisis situations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].


CP-3(2) CONTINGENCY TRAINING
CP-3(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms that provide a more thorough and realistic contingency training environment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; automated mechanisms supporting contingency training; contingency training curriculum; contingency training material; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities].


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-4 CONTINGENCY PLAN TESTING AND EXERCISES
CP-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the contingency plan tests and/or exercises to be conducted;
(ii) the organization defines the frequency of contingency plan tests and/or exercises;
(iii) the organization tests/exercises the contingency plan using organization-defined tests/exercises in accordance with organization-defined frequency; and
(iv) the organization reviews the contingency plan test/exercise results and takes corrective actions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; security plan; contingency plan testing and/or exercise documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing or responding to contingency plan tests/exercises].



CP-4(1) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan testing and exercises; contingency plan testing and/or exercise documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; organizational personnel with responsibilities for related plans].


CP-4(2) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization conducts contingency plan testing/exercises at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site's capabilities to support contingency operations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].



CP-4(3) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to more thoroughly and effectively test/exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the information system and supported missions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan testing and exercises; automated mechanisms supporting contingency plan testing/exercises; contingency plan testing and/or exercise documentation; other relevant documents or records].



CP-4(4) CONTINGENCY PLAN TESTING AND EXERCISES
CP-4(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities; organizational personnel with contingency plan testing and/or exercise responsibilities].


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-5 CONTINGENCY PLAN UPDATE

[Withdrawn: Incorporated into CP-2].

CP-5.1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into CP-2].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into CP-2].
CP-5.2 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into CP-2].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into CP-2].


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-6 ALTERNATE STORAGE SITE
CP-6.1 ASSESSMENT OBJECTIVE:
Determine if :
(i) the organization establishes an alternate storage site; and
(ii) the organization initiates necessary alternate storage site agreements to permit the storage and recovery of information system backup information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site agreements; other relevant documents or records].



CP-6(1) ALTERNATE STORAGE SITE
CP-6(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the contingency plan identifies the primary storage site hazards; and
(ii) the alternate storage site is separated from the primary storage site so as not to be susceptible to the same hazards identified at the primary site.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site; other relevant documents or records].



CP-6(2) ALTERNATE STORAGE SITE
CP-6(2).1 ASSESSMENT OBJECTIVE:
Determine if the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives and recovery point objectives.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site agreements; alternate storage site; other relevant documents or records].



CP-6(3) ALTERNATE STORAGE SITE
CP-6(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and
(ii) the organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site; mitigation actions for accessibility problems to the alternate storage site; other relevant documents or records].



FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-7 ALTERNATE PROCESSING SITE
CP-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes an alternate processing site;
(ii) the organization defines the time period for achieving the recovery time objectives within which processing must be resumed at the alternate processing site;
(iii) the organization includes necessary alternate processing site agreements to permit the resumption of information system operations for essential missions and business functions within organization-defined time period; and
(iv) the equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site agreements; security plan; spare equipment and supplies at alternate processing site; equipment and supply contracts; service level agreements; other relevant documents or records].



CP-7(1) ALTERNATE PROCESSING SITE
CP-7(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the contingency plan identifies the primary processing site hazards; and
(ii) the alternate processing site is separated from the primary processing site so as not to be susceptible to the same hazards identified at the primary site.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].



CP-7(2) ALTERNATE PROCESSING SITE
CP-7(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and
(ii) the organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].



CP-7(3) ALTERNATE PROCESSING SITE
CP-7(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organization's availability requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site agreements; other relevant documents or records].



CP-7(4) ALTERNATE PROCESSING SITE
CP-7(4).1 ASSESSMENT OBJECTIVE:
Determine if the alternate processing site is configured so that it is ready to be used as the operational site to support essential missions and business functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; alternate processing site agreements; other relevant documents or records].
Test: [SELECT FROM: Information system at the alternate processing site].


CP-7(5) ALTERNATE PROCESSING SITE
CP-7(5).1 ASSESSMENT OBJECTIVE:
Determine if the alternate processing site provides information security measures equivalent to that of the primary site.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records].



FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-8 TELECOMMUNICATIONS SERVICES
CP-8.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes alternate telecommunications services to support the information system;
(ii) the organization defines in the time period within which resumption of information system operations must take place; and
(iii) the organization establishes necessary alternate telecommunications service agreements to permit the resumption of telecommunications services for essential missions and business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; security plan; primary and alternate telecommunications service agreements; list of essential missions and business functions; other relevant documents or records].



CP-8(1) TELECOMMUNICATIONS SERVICES
CP-8(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements; and
(ii) the organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; Telecommunications Service Priority documentation; other relevant documents or records].



CP-8(2) TELECOMMUNICATIONS SERVICES
CP-8(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization obtains alternate telecommunications services with consideration for reducing the likelihood of sharing a single point of failure with primary telecommunications services.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; telecommunications service providers].


CP-8(3) TELECOMMUNICATIONS SERVICES
CP-8(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies the primary provider's telecommunications service hazards; and
(ii) the alternate telecommunications service providers are separated from the primary telecommunications service providers so as not to be susceptible to the same hazards.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; alternate telecommunications service provider's site; primary telecommunications service provider's site; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; telecommunications service providers].


CP-8(4) TELECOMMUNICATIONS SERVICES
CP-8(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires primary and alternate telecommunications service providers to have contingency plans.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; telecommunications service providers].


FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-9 INFORMATION SYSTEM BACKUP
CP-9.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives;
(ii) the organization defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives;
(iii) the organization defines the frequency of conducting information system documentation backups (including security-related information) to support recovery time objectives and recovery point objectives;
(iv) the organization backs up user-level information in accordance with the organization-defined frequency;
(v) the organization backs up system-level information in accordance with the organization-defined frequency; and
(vi) the organization backs up information system documentation in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; backup storage location(s); information system backup logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system backup responsibilities].
CP-9.2 ASSESSMENT OBJECTIVE:
Determine if the organization protects the confidentiality and integrity of backup information at the storage location.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; information system design documentation; information system configuration settings and associated documentation; backup storage location(s); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system backup responsibilities].


CP-9(1) INFORMATION SYSTEM BACKUP
CP-9(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of information system backup testing; and
(ii) the organization conducts information system backup testing in accordance with organization-defined frequency to verify backup media reliability and information integrity.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; information system backup test results; backup storage location(s); other relevant documents or records].



CP-9(2) INFORMATION SYSTEM BACKUP
CP-9(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; information system backup test results; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records].



CP-9(3) INFORMATION SYSTEM BACKUP
CP-9(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization stores backup copies of operating system and other critical information system software, as well as copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not collocated with the operational system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; backup storage location(s); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with information system backup responsibilities].


CP-9(4) INFORMATION SYSTEM BACKUP

[Withdrawn: Incorporated into CP-9].

CP-9(4).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into CP-9].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into CP-9].


CP-9(5) INFORMATION SYSTEM BACKUP
CP-9(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period and rate of transferring information system backup information to the alternate storage site to support recovery time objectives and recovery point objectives; and
(ii) the organization transfers information system backup information to the alternate storage site in accordance with the organization-defined frequency and transfer rate.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; information system backup test results; alternate site service agreements; backup storage location(s); other relevant documents or records].



CP-9(6) INFORMATION SYSTEM BACKUP
CP-9(6).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization maintains a redundant, secondary backup system that is not collocated with the primary backup system for the information system; and
(ii) the redundant, secondary backup system can be activated to accomplish information system backups without causing loss of information or disruption to the operation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; information system backup test results; contingency plan test results; contingency plan testing and/or exercise documentation; secondary backup storage location(s); redundant secondary system for information system backups; other relevant documents or records].



FAMILY: CONTINGENCY PLANNING CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10.1 ASSESSMENT OBJECTIVE:
Determine if the organization provides automated mechanisms and/or manual procedures for the recovery and reconstitution of the information system to known state after a disruption, compromise, or failure.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; information system configuration settings and associated documentation; information system design documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms and/or manual procedures for implementing information system recovery and reconstitution operations].


CP-10(1) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

[Withdrawn: Incorporated into CP-4(4)].

CP-10(1).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into CP-4(4)].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into CP-4(4)].


CP-10(2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system implements transaction recovery for systems that are transaction-based.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; information system design documentation; information system configuration settings and associated documentation; contingency plan test results; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing transaction recovery capability].


CP-10(3) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines in the security plan, explicitly or by reference, the circumstances that can inhibit recovery and reconstitution of the information system to a known state; and
(ii) the organization provides compensating security controls for organization-defined circumstances that can inhibit recovery and reconstitution of the information system to a known state.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; contingency plan test procedures; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities].


CP-10(4) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time-periods within which information system components must be reimaged from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components; and
(ii) the organization provides the capability to reimage information system components, within organization-defined time-periods, from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities].


CP-10(5) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines whether real-time or near-real-time failover capability will be provided for the information system;
(ii) the organization provides the real-time or near-real-time failover capability identified for the information system;
(iii) the organization defines the type of failover capability for the information system; and
(iv) the organization provides the organization-defined failover capability for the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities].
Test: [SELECT FROM: Failover capability for the information system].


CP-10(6) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
CP-10(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization protects backup and restoration hardware, firmware, and software.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; location(s) of backup and restoration hardware, firmware, and software; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities].


IDENTIFICATION AND AUTHENTICATION

FAMILY: IDENTIFICATION AND AUTHENTICATION CLASS: TECHNICAL


ASSESSMENT PROCEDURE
IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES
IA-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents identification and authentication policy;
(ii) the organization identification and authentication policy addresses:
(iii) the organization disseminates formal documented identification and authentication policy to elements within the organization having associated identification and authentication roles and responsibilities;
(iv) the organization develops and formally documents identification and authentication procedures;
(v) the organization identification and authentication procedures facilitate implementation of the identification and authentication policy and associated identification and authentication controls; and
(vi) the organization disseminates formal documented identification and authentication procedures to elements within the organization having associated identification and authentication roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with identification and authentication responsibilities].
IA-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of identification and authentication policy reviews/updates;
(ii) the organization reviews/updates identification and authentication policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of identification and authentication procedure reviews/updates;
(iv) the organization reviews/updates identification and authentication procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with identification and authentication responsibilities].


FAMILY: IDENTIFICATION AND AUTHENTICATION CLASS: TECHNICAL


ASSESSMENT PROCEDURE
IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2.1 ASSESSMENT OBJECTIVE:
Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of information system accounts; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


IA-2(1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system uses multifactor authentication for network access to privileged accounts.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of privileged information system accounts; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


IA-2(2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system uses multifactor authentication for network access to non-privileged accounts.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of non-privileged information system accounts; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


IA-2(3) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2(3).1 ASSESSMENT OBJECTIVE:
Determine if the information system uses multifactor authentication for local access to privileged accounts.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of privileged information system accounts; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


IA-2(4) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2(4).1 ASSESSMENT OBJECTIVE:
Determine if the information system uses multifactor authentication for local access to non-privileged accounts.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of non-privileged information system accounts; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


IA-2(5) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization allows the use of group authenticators only when used in conjunction with an individual/unique authenticator; and
(ii) the organization requires individuals to be authenticated with an individual authenticator prior to using a group authenticator.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


IA-2(6) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2(6).1 ASSESSMENT OBJECTIVE:
Determine if the information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of privileged information system accounts; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


IA-2(7) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2(7).1 ASSESSMENT OBJECTIVE:
Determine if the information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of non-privileged information system accounts; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


IA-2(8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2(8).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the replay-resistant authentication mechanisms to be used for network access to privileged accounts; and
(ii) the information system uses the organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; list of privileged information system accounts; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


IA-2(9) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-2(9).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the replay-resistant authentication mechanisms to be used for network access to non-privileged accounts; and
(ii) the information system uses the organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


FAMILY: IDENTIFICATION AND AUTHENTICATION CLASS: TECHNICAL


ASSESSMENT PROCEDURE
IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION
IA-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the specific and/or types of devices for which identification and authentication is required before establishing a connection to the information system; and
(ii) the information system uniquely identifies and authenticates the organization-defined devices before establishing a connection to the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; list of devices requiring unique identification and authentication; device connection reports; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing device identification and authentication].


IA-3(1) DEVICE IDENTIFICATION AND AUTHENTICATION
IA-3(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the information system authenticates devices before establishing remote network connections using bi-directional authentication between devices that is cryptographically based; and
(ii) the information system authenticates devices before establishing wireless network connections using bi-directional authentication between devices that is cryptographically based.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; device connection reports; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing device identification and authentication].


IA-3(2) DEVICE IDENTIFICATION AND AUTHENTICATION
IA-3(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system authenticates devices before establishing network connections using bidirectional authentication between devices that is cryptographically based.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; device connection reports; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing device identification and authentication].


IA-3(3) DEVICE IDENTIFICATION AND AUTHENTICATION
IA-3(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization standardizes, with regard to dynamic address allocation, Dynamic Host Control Protocol (DHCP) lease information and the time assigned to DHCP-enabled devices; and
(ii) the organization audits DHCP lease information (including IP addresses) when assigned to a DHCP-enabled devices.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; information system configuration settings and associated documentation; DHCP lease information; device connection reports; other relevant documents or records].



FAMILY: IDENTIFICATION AND AUTHENTICATION CLASS: TECHNICAL


ASSESSMENT PROCEDURE
IA-4 IDENTIFIER MANAGEMENT
IA-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period for preventing reuse of user or device identifiers;
(ii) the organization defines the time period of inactivity after which a user identifier is to be disabled; and
(iii) the organization manages information system identifiers for users and devices by:
  • receiving authorization from a designated organizational official to assign a user or device identifier;
  • selecting an identifier that uniquely identifies an individual or device;
  • assigning the user identifier to the intended party or the device identifier to the intended device;
  • preventing reuse of user or device identifiers for the organization-defined time period; and
  • disabling the user identifier after the organization-defined time period of inactivity.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; list of identifiers generated from physical access control devices; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with identifier management responsibilities].



IA-4(1) IDENTIFIER MANAGEMENT
IA-4(1).1 ASSESSMENT OBJECTIVE:
Determine if organization prohibits the use of information system account identifiers as public identifiers for user electronic mail accounts (i.e., user identifier portion of the electronic mail address).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].



IA-4(2) IDENTIFIER MANAGEMENT
IA-4(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization requires that registration to receive a user ID and password include authorization by a supervisor; and
(ii) the organization requires that registration to receive a user ID and password be done in person before a designated registration authority.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; user ID and password registration documentation; ID and password authorization records; registration authority records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with identifier management responsibilities].


IA-4(3) IDENTIFIER MANAGEMENT
IA-4(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; identifier certification documentation; organizational personnel biometrics records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with identifier management responsibilities].


IA-4(4) IDENTIFIER MANAGEMENT
IA-4(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the characteristic to be used to identify user status; and
(ii) the organization manages user identifiers by uniquely identifying the user with the organization-defined characteristic identifying user status.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; list of characteristics identifying user status; other relevant documents or records].



IA-4(5) IDENTIFIER MANAGEMENT
IA-4(5).1 ASSESSMENT OBJECTIVE:
Determine if the information system dynamically manages:
  • identifiers;
  • attributes; and
  • associated access authorizations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identifier management functions].


FAMILY: IDENTIFICATION AND AUTHENTICATION CLASS: TECHNICAL


ASSESSMENT PROCEDURE
IA-5 AUTHENTICATOR MANAGEMENT
IA-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the time period (by authenticator type) for changing/refreshing authenticators; and
(ii) the organization manages information system authenticators for users and devices by:
  • verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator;
  • establishing initial authenticator content for authenticators defined by the organization;
  • ensuring that authenticators have sufficient strength of mechanism for their intended use;
  • establishing and implementing administrative procedures for initial authenticator distribution;
  • establishing and implementing administrative procedures for lost/compromised or damaged authenticators;
  • establishing and implementing administrative procedures for revoking authenticators;
  • changing default content of authenticators upon information system installation;
  • establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if deemed to be appropriate by the organization);
  • changing/refreshing authenticators in accordance with the organization-defined time period by authenticator type;
  • protecting authenticator content from unauthorized disclosure and modification; and
  • requiring users to take, and having devices implement, specific measures to safeguard authenticators.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for determining initial authenticator content].
Test: [SELECT FROM: Automated mechanisms implementing authenticator management functions].


IA-5(1) AUTHENTICATOR MANAGEMENT
IA-5(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the minimum password complexity requirements to be enforced for case sensitivity, the number of characters, and the mix of upper-case letters, lower-case letters, numbers, and special characters including minimum requirements for each type;
(ii) the organization defines the minimum number of characters that must be changed when new passwords are created;
(iii) the organization defines the restrictions to be enforced for password minimum lifetime and password maximum lifetime parameters;
(iv) the organization defines the number of generations for which password reuse is prohibited; and
(v) the information system, for password-based authentication:
  • enforces the minimum password complexity standards that meet the organization-defined requirements;
  • enforces the organization-defined minimum number of characters that must be changed when new passwords are created;
  • encrypts passwords in storage and in transmission;
  • enforces the organization-defined restrictions for password minimum lifetime and password maximum lifetime parameters; and
  • prohibits password reuse for the organization-defined number of generations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing authenticator management functions].


IA-5(2) AUTHENTICATOR MANAGEMENT
IA-5(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system, for PKI-based authentication:
  • validates certificates by constructing a certification path with status information to an accepted trust anchor;
  • enforces authorized access to the corresponding private key; and
  • maps the authenticated identity to the user account.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; security plan; information system design documentation; information system configuration settings and associated documentation; PKI certification revocation lists; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for PKI-based authentication management].
Test: [SELECT FROM: Automated mechanisms implementing PKI-based authenticator management functions].


IA-5(3) AUTHENTICATOR MANAGEMENT
IA-5(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the types of and/or specific authenticators for which the registration process must be carried out in person before a designated registration authority with authorization by a designated organizational official; and
(ii) the organization requires that the registration process to receive organization-defined types of and/or specific authenticators be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; list of authenticators that require in-person registration; authenticator registration documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with authenticator management responsibilities].


IA-5(4) AUTHENTICATOR MANAGEMENT
IA-5(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwise compromise the authenticators.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; information system design documentation; information system configuration settings and associated documentation; automated tools for testing authenticators; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with authenticator management responsibilities].
Test: [SELECT FROM: Automated mechanisms for authenticator strength].


IA-5(5) AUTHENTICATOR MANAGEMENT
IA-5(5).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires vendors and/or manufacturers of information system components to provide unique authenticators or change default authenticators prior to delivery.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; system and services acquisition policy; procedures addressing authenticator management; procedures addressing the integration of security requirements into the acquisition process; acquisition documentation; acquisition contracts for information system procurements or services; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information system security, acquisition, and contracting responsibilities].


IA-5(6) AUTHENTICATOR MANAGEMENT
IA-5(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization protects authenticators commensurate with the classification or sensitivity of the information accessed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; information classification or sensitivity documentation; security categorization documentation for the information system; security assessments of authenticator protections; risk assessment results; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel implementing and/or maintaining authenticator protections].


IA-5(7) AUTHENTICATOR MANAGEMENT
IA-5(7).1 ASSESSMENT OBJECTIVE:
Determine if the organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; information system design documentation; information system configuration settings and associated documentation; logical access scripts; application code reviews for detecting unencrypted static authenticators; other relevant documents or records].



IA-5(8) AUTHENTICATOR MANAGEMENT
IA-5(8).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines measures taken to manage the risk of compromise due to individuals having accounts on multiple information systems; and
(ii) the organization takes organization-defined measures to manage the risk of compromise due to individuals having accounts on multiple information systems.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; security plan; list of individuals having accounts on multiple information systems; list of measures intended to manage risk of compromise due to individuals having accounts on multiple information systems ; other relevant documents or records].



FAMILY: IDENTIFICATION AND AUTHENTICATION CLASS: TECHNICAL


ASSESSMENT PROCEDURE
IA-6 AUTHENTICATOR FEEDBACK
IA-6.1 ASSESSMENT OBJECTIVE:
Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator feedback; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing authenticator feedback].


FAMILY: IDENTIFICATION AND AUTHENTICATION CLASS: TECHNICAL


ASSESSMENT PROCEDURE
IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION
IA-7.1 ASSESSMENT OBJECTIVE:
Determine if the information system uses mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing cryptographic module authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing cryptographic module authentication].


FAMILY: IDENTIFICATION AND AUTHENTICATION CLASS: TECHNICAL


ASSESSMENT PROCEDURE
IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)
IA-8.1 ASSESSMENT OBJECTIVE:
Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of information system accounts; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system].


INCIDENT RESPONSE

FAMILY: INCIDENT RESPONSE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES
IR-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents incident response policy;
(ii) the organization incident response policy addresses:
(iii) the organization disseminates formal documented incident response policy to elements within the organization having associated incident response roles and responsibilities;
(iv) the organization develops and formally documents incident response procedures;
(v) the organization incident response procedures facilitate implementation of the incident response policy and associated incident response controls; and
(vi) the organization disseminates formal documented incident response procedures to elements within the organization having associated incident response roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response responsibilities].
IR-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of incident response policy reviews/updates;
(ii) the organization reviews/updates incident response policy in accordance with organization-defined frequency;
(iii) the organization defines the frequency of incident response procedure reviews/updates; and
(iv) the organization reviews/updates incident response procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response responsibilities].


FAMILY: INCIDENT RESPONSE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
IR-2 INCIDENT RESPONSE TRAINING
IR-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies personnel with incident response roles and responsibilities with respect to the information system;
(ii) the organization provides incident response training to personnel with incident response roles and responsibilities with respect to the information system;
(iii) incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities;
(iv) the organization defines the frequency of refresher incident response training; and
(v) the organization provides refresher incident response training in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; security plan; incident response plan; incident response training records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities].



IR-2(1) INCIDENT RESPONSE TRAINING
IR-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities].


IR-2(2) INCIDENT RESPONSE TRAINING
IR-2(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; automated mechanisms supporting incident response training; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities].


FAMILY: INCIDENT RESPONSE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
IR-3 INCIDENT RESPONSE TESTING AND EXERCISES
IR-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines incident response tests/exercises;
(ii) the organization defines the frequency of incident response tests/exercises;
(iii) the organization tests/exercises the incident response capability for the information system using organization-defined tests/exercises in accordance with organization-defined frequency;
(iv) the organization documents the results of incident response tests/exercises; and
(v) the organization determines the effectiveness of the incident response capability.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response testing and exercises; security plan; incident response testing material; incident response test results; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response testing responsibilities].



IR-3(1) INCIDENT RESPONSE TESTING AND EXERCISES
IR-3(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability for the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response testing and exercises; security plan; incident response testing documentation; automated mechanisms supporting incident response tests/exercises; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response testing responsibilities].


FAMILY: INCIDENT RESPONSE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
IR-4 INCIDENT HANDLING
IR-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization implements an incident handling capability for security incidents that includes:
  • preparation;
  • detection and analysis;
  • containment;
  • eradication; and
  • recovery;
(ii) the organization coordinates incident handling activities with contingency planning activities; and
(iii) the organization incorporates lessons learned from ongoing incident handling activities into:
  • incident response procedures;
  • training; and
  • testing/exercises; and
(iv) the organization implements the resulting changes to incident response procedures, training and testing/exercise accordingly.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with contingency planning responsibilities].
Test: [SELECT FROM: Incident handling capability for the organization].


IR-4(1) INCIDENT HANDLING
IR-4(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to support the incident handling process.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].


IR-4(2) INCIDENT HANDLING
IR-4(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization includes dynamic reconfiguration of the information system as part of the incident response capability.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].


IR-4(3) INCIDENT HANDLING
IR-4(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies classes of incidents; and
(ii) the organization defines the appropriate actions to take in response to each class of incidents to ensure continuation of organizational missions and business functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; security plan; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].


IR-4(4) INCIDENT HANDLING
IR-4(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; incident response plan; automated mechanisms supporting incident handling; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].


IR-4(5) INCIDENT HANDLING
IR-4(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines a list of security violations that, if detected, initiate a configurable capability to automatically disable the information system; and
(ii) the organization implements a configurable capability to automatically disable the information system if any of the organization-defined security violations are detected.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; security plan; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities].


FAMILY: INCIDENT RESPONSE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
IR-5 INCIDENT MONITORING
IR-5.1 ASSESSMENT OBJECTIVE:
Determine if the organization tracks and documents information system security incidents.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; incident response records and documentation; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident monitoring responsibilities].
Test: [SELECT FROM: Incident monitoring capability for the organization].


IR-5(1) INCIDENT MONITORING
IR-5(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs automated mechanisms to assist in the tracking of security incidents;
(ii) the organization employs automated mechanisms to assist in the collection of security incident information; and
(iii) the organization employs automated mechanisms to assist in the analysis of security incident information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; information system design documentation; information system configuration settings and associated documentation; automated mechanisms supporting incident monitoring; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident monitoring responsibilities].
Test: [SELECT FROM: Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information].


FAMILY: INCIDENT RESPONSE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
IR-6 INCIDENT REPORTING
IR-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines in the time period required to report suspected security incidents to the organizational incident response capability;
(ii) the organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period; and
(iii) the organization reports security incident information to designated authorities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; incident reporting records and documentation; security plan; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities].



IR-6(1) INCIDENT REPORTING
IR-6(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to assist in the reporting of security incidents.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; automated mechanisms supporting incident reporting; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities].


IR-6(2) INCIDENT REPORTING
IR-6(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization reports information system weaknesses, deficiencies, and/or vulnerabilities associated with reported security incidents to appropriate organizational officials.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; automated mechanisms supporting incident reporting; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities].


FAMILY: INCIDENT RESPONSE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
IR-7 INCIDENT RESPONSE ASSISTANCE
IR-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents; and
(ii) the incident response support resource is an integral part of the organization's incident response capability.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response assistance and support responsibilities].



IR-7(1) INCIDENT RESPONSE ASSISTANCE
IR-7(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; automated mechanisms supporting incident response support and assistance; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response support and assistance responsibilities; organizational personnel that require incident response support and assistance].


IR-7(2) INCIDENT RESPONSE ASSISTANCE
IR-7(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and
(ii) the organization identifies organizational incident response team members to the external providers.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; automated mechanisms supporting incident response support and assistance; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response support and assistance responsibilities; external providers of information system protection capability].


FAMILY: INCIDENT RESPONSE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
IR-8 INCIDENT RESPONSE PLAN
IR-8.1 ASSESSMENT OBJECTIVE:
Determine if the organization develops an incident response plan that:
  • provides the organization with a roadmap for implementing its incident response capability;
  • describes the structure and organization of the incident response capability;
  • provides a high-level approach for how the incident response capability fits into the overall organization;
  • meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
  • defines reportable incidents;
  • provides metrics for measuring the incident response capability within the organization;
  • defines the resources and management support needed to effectively maintain and mature an incident response capability; and
  • is reviewed and approved by designated officials within the organization.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities].
IR-8.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines, in the incident response plan, incident response personnel (identified by name and/or role) and organizational elements;
(ii) the organization distributes copies of the incident response plan to incident response personnel and organizational elements identified in the plan;
(iii) the organization defines, in the incident response plan, the frequency to review the plan;
(iv) the organization reviews the incident response plan in accordance with the organization-defined frequency;
(v) the organization revises the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; and
(vi) the organization communicates incident response plan changes to incident response personnel and organizational elements identified in the plan.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities].


MAINTENANCE

FAMILY: MAINTENANCE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES
MA-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents system maintenance policy;
(ii) the organization system maintenance policy addresses:
(iii) the organization disseminates formal documented system maintenance policy to elements within the organization having associated system maintenance roles and responsibilities;
(iv) the organization develops and formally documents system maintenance procedures;
(v) the organization system maintenance procedures facilitate implementation of the system maintenance policy and associated system maintenance controls; and
(vi) the organization disseminates formal documented system maintenance procedures to elements within the organization having associated system maintenance roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].
MA-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of system maintenance policy reviews/updates;
(ii) the organization reviews/updates system maintenance policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of system maintenance procedure reviews/updates;
(iv) the organization reviews/updates system maintenance procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].


FAMILY: MAINTENANCE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MA-2 CONTROLLED MAINTENANCE
MA-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
(ii) the organization controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
(iii) the organization requires that a designated official explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
(iv) the organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and
(v) the organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; maintenance records; manufacturer/vendor maintenance specifications; equipment sanitization records; media sanitization records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].



MA-2(1) CONTROLLED MAINTENANCE
MA-2(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization maintains maintenance records for the information system that include:
  • date and time of maintenance;
  • name of the individual performing the maintenance;
  • name of escort, if necessary;
  • a description of the maintenance performed; and
  • a list of equipment removed or replaced (including identification numbers, if applicable).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; maintenance records; other relevant documents or records].



MA-2(2) CONTROLLED MAINTENANCE
MA-2(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs automated mechanisms to schedule, conduct, and document maintenance and repairs as required; and
(ii) the organization employs automated mechanisms to product up-to-date, accurate, complete, and available records of all maintenance and repair actions needed, in process and complete.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; automated mechanisms supporting information system maintenance activities; information system configuration settings and associated documentation; maintenance records; other relevant documents or records].



FAMILY: MAINTENANCE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MA-3 MAINTENANCE TOOLS
MA-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization approves, controls, and monitors the use of information system maintenance tools; and
(ii) the organization maintains information system maintenance tools on an ongoing basis.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; maintenance records; other relevant documents or records].



MA-3(1) MAINTENANCE TOOLS
MA-3(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; maintenance records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].


MA-3(2) MAINTENANCE TOOLS
MA-3(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization checks all media containing diagnostic and test programs (e.g., software or firmware used for information system maintenance or diagnostics) for malicious code before the media are used in the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; information system media containing maintenance programs (including diagnostic and test programs); maintenance records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].
Test: [SELECT FROM: Media checking process for malicious code detection].


MA-3(3) MAINTENANCE TOOLS
MA-3(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization prevents the unauthorized removal of maintenance equipment by one of the following:
  • verifying that there is no organizational information contained on the equipment;
  • sanitizing or destroying the equipment;
  • retaining the equipment within the facility; or
  • obtaining an exemption from a designated organization official explicitly authorizing removal of the equipment from the facility.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; information system media containing maintenance programs (including diagnostic and test programs); maintenance records; equipment sanitization records; media sanitization records; exemptions for equipment removal; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].


MA-3(4) MAINTENANCE TOOLS
MA-3(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; automated mechanisms supporting information system maintenance activities; information system design documentation; information system configuration settings and associated documentation; maintenance records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms supporting information system maintenance activities].


FAMILY: MAINTENANCE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MA-4 NON-LOCAL MAINTENANCE
MA-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization authorizes, monitors, and controls non-local maintenance and diagnostic activities;
(ii) the organization documents, in the organizational policy and security plan for the information system, the acceptable conditions for allowing the use of non-local maintenance and diagnostic tools;
(iii) the organization allows the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and as documented in the security plan;
(iv) the organization employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions;
(v) the organization maintains records for non-local maintenance and diagnostic activities; and
(vi) the organization (or information system in certain cases) terminates all sessions and network connections when non-local maintenance or diagnostics is completed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; security plan; information system design documentation; information system configuration settings and associated documentation; maintenance records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].



MA-4(1) NON-LOCAL MAINTENANCE
MA-4(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization audits non-local maintenance and diagnostic sessions; and
(ii) designated organizational personnel review the maintenance records of the sessions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; maintenance records; audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].


MA-4(2) NON-LOCAL MAINTENANCE
MA-4(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization documents the installation and use of non-local maintenance and diagnostic connections in the security plan for the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; security plan; maintenance records; audit records; other relevant documents or records].



MA-4(3) NON-LOCAL MAINTENANCE
MA-4(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization requires and ensures non-local maintenance and diagnostic services from an information system that implements a level of security at least as high as the level of security implemented on the information system being serviced; or
(ii) the organization removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities; and
(iii) the organization after the removed component service is performed, inspects and sanitizes the component (with regard to potentially malicious software and surreptitious implants) before reconnecting to the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; service provider contracts and/or service level agreements; maintenance records; audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities; information system maintenance provider].


MA-4(4) NON-LOCAL MAINTENANCE
MA-4(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization protects non-local maintenance sessions through the use of a strong authenticator tightly bound to the user; and
(ii) the organization protects non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by:
  • either physically separated communications paths; or
  • logically separated communications paths based upon encryption.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; information system design documentation; information system configuration settings and associated documentation; maintenance records; audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].


MA-4(5) NON-LOCAL MAINTENANCE
MA-4(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the organizational personnel to be notified when non-local maintenance is planned;
(ii) the organization requires that maintenance personnel notify organization-defined personnel when non-local maintenance is planned (i.e., date/time); and
(iii) the organization requires that a designated organizational official with specific information security/information system knowledge approves the non-local maintenance.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; security plan; maintenance records; audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].


MA-4(6) NON-LOCAL MAINTENANCE
MA-4(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; cryptographic mechanisms supporting information system maintenance activities; information system design documentation; information system configuration settings and associated documentation; maintenance records; audit records; other relevant documents or records].
Test: [SELECT FROM: Cryptographic mechanisms supporting information system maintenance activities].


MA-4(7) NON-LOCAL MAINTENANCE
MA-4(7).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs remote disconnect verification at the termination of non-local maintenance and diagnostic sessions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; information system design documentation; information system configuration settings and associated documentation; maintenance records; audit records; other relevant documents or records].



FAMILY: MAINTENANCE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MA-5 MAINTENANCE PERSONNEL
MA-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes a process for maintenance personnel authorization;
(ii) the organization maintains a current list of authorized maintenance organizations or personnel; and
(iii) personnel performing maintenance on the information system either have the required access authorizations or are supervised by designated organizational personnel with the required access authorizations and technical competence deemed necessary to supervise information system maintenance.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; service provider contracts and/or service level agreements; list of authorized personnel; maintenance records; access control records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].



MA-5(1) MAINTENANCE PERSONNEL
MA-5(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization maintains procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
  • maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
  • prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances, or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
  • in the event an information system component cannot be sanitized, the procedures contained in the security plan for the system are enforced.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; information system media protection policy; physical and environmental protection policy; security plan; list of maintenance personnel requiring escort/supervision; maintenance records; access control records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities; organizational personnel with personnel security responsibilities; organizational personnel with physical access control responsibilities].


MA-5(2) MAINTENANCE PERSONNEL
MA-5(2).1 ASSESSMENT OBJECTIVE:
Determine if personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are cleared for the highest level of information on the system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; maintenance records; access control records; access authorizations; access credentials; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities; organizational personnel with personnel security responsibilities].


MA-5(3) MAINTENANCE PERSONNEL
MA-5(3).1 ASSESSMENT OBJECTIVE:
Determine if personnel performing maintenance and diagnostic activities on the information system processing, storing, or transmitting classified information are U.S. citizens.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; maintenance records; access control records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities, organizational personnel with personnel security responsibilities].


MA-5(4) MAINTENANCE PERSONNEL
MA-5(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) cleared foreign nationals are used to conduct maintenance and diagnostic activities on an information system only when the system is jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and
(ii) the organization documents in a Memorandum of Agreement the approvals, consents, and detailed operational conditions under which foreign nationals are allowed to conduct maintenance and diagnostic activities on an information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; information system media protection policy; access control policy and procedures; physical and environmental protection policy and procedures; memorandum of agreement; maintenance records; access control records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities, organizational personnel with personnel security responsibilities].


FAMILY: MAINTENANCE CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MA-6 TIMELY MAINTENANCE
MA-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines security-critical information system components and/or key information technology components for which it will obtain maintenance support and/or spare parts;
(ii) the organization defines the time period within which support and/or spare parts must be obtained after a failure; and
(iii) the organization obtains maintenance support and/or spare parts for the organization-defined list of security-critical information system components and/or key information technology components within the organization-defined time period of failure.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system maintenance policy; procedures addressing timely maintenance for the information system; service provider contracts and/or service level agreements; inventory and availability of spare parts; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].



MEDIA PROTECTION

FAMILY: MEDIA PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MP-1 MEDIA PROTECTION POLICY AND PROCEDURES
MP-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents media protection policy;
(ii) the organization media protection policy addresses:
(iii) the organization disseminates formal documented media protection policy to elements within the organization having associated media protection roles and responsibilities;
(iv) the organization develops and formally documents media protection procedures;
(v) the organization media protection procedures facilitate implementation of the media protection policy and associated media protection controls; and
(vi) the organization disseminates formal documented media protection procedures to elements within the organization having associated media protection roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Media protection policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities].
MP-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of media protection policy reviews/updates;
(ii) the organization reviews/updates media protection policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of media protection procedure reviews/updates;
(iv) the organization reviews/updates media protection procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Media protection policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities].


FAMILY: MEDIA PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MP-2 MEDIA ACCESS
MP-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines:
  • digital and non-digital media requiring restricted access;
  • individuals authorized to access the media;
  • security measures taken to restrict access; and
(ii) the organization restricts access to organization-defined information system media to organization-defined authorized individuals using organization-defined security measures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities].



MP-2(1) MEDIA ACCESS
MP-2(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs automated mechanisms to restrict access to media storage areas; and
(ii) the organization employs automated mechanisms to audit access attempts and access granted to media storage areas.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control devices; access control records; audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing access restrictions to media storage areas].


MP-2(2) MEDIA ACCESS
MP-2(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; other relevant documents or records].
Test: [SELECT FROM: Cryptographic mechanisms protecting and restricting access to information system information on portable digital media].


FAMILY: MEDIA PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MP-3 MEDIA MARKING
MP-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines removable media types and information system output that require marking;
(ii) the organization marks removable media and information system output in accordance with organizational policies and procedures, indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information;
(iii) the organization defines:
(iv) removable media and information system output exempt from marking remain within designated controlled areas.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media labeling; physical and environmental protection policy and procedures; security plan; removable storage media and information system output; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media protection and marking responsibilities].



FAMILY: MEDIA PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MP-4 MEDIA STORAGE
MP-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines:
  • types of digital and non-digital media physically controlled and securely stored within designated controlled areas;
  • controlled areas designated to physically control and securely store the media;
  • security measures to physically control and securely store the media within designated controlled areas;
(ii) the organization physically controls and securely stores organization-defined information system media within organization-defined controlled areas using organization-defined security measures; and
(iii) the organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; security plan; information system media; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media protection and storage responsibilities].



MP-4(1) MEDIA STORAGE
MP-4(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs cryptographic mechanisms to protect information in storage.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control devices; access control records; audit records; other relevant documents or records].
Test: [SELECT FROM: Cryptographic mechanisms protecting information in storage].


FAMILY: MEDIA PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MP-5 MEDIA TRANSPORT
MP-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines:
  • types of digital and non-digital media protected and controlled during transport outside of controlled areas;
  • security measures (e.g., locked container, encryption) for such media transported outside of controlled areas;
(ii) the organization protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security measures;
(iii) the organization maintains accountability for information system media during transport outside of controlled areas;
(iv) the organization identifies personnel authorized to transport information system media outside of controlled areas; and
(v) the organization restricts the activities associated with transport of information system media to authorized personnel.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; access control policy and procedures; security plan; list of organization-defined personnel authorized to transport information system media outside of controlled areas; information system media; information system media transport records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media transport responsibilities].



MP-5(1) MEDIA TRANSPORT

[Withdrawn: Incorporated into MP-5].

MP-5(1).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into MP-5].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into MP-5].


MP-5(2) MEDIA TRANSPORT
MP-5(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization documents activities associated with the transport of information system media.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; access control policy and procedures; security plan; information system media transport records; audit records; other relevant documents or records].



MP-5(3) MEDIA TRANSPORT
MP-5(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs an identified custodian throughout the transport of information system media.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; information system media transport records; audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media transport responsibilities].


MP-5(4) MEDIA TRANSPORT
MP-5(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; information system media transport records; audit records; other relevant documents or records].
Test: [SELECT FROM: Cryptographic mechanisms protecting information during transportation outside controlled areas].


FAMILY: MEDIA PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
MP-6 MEDIA SANITIZATION
MP-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization sanitizes information system media both digital and non-digital prior to:
  • disposal;
  • release out of organizational control; or
  • release for reuse; and
(ii) the organization employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; media sanitization records; audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].



MP-6(1) MEDIA SANITIZATION
MP-6(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization tracks, documents, and verifies media sanitization and disposal actions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy and procedures; media sanitization records; audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].


MP-6(2) MEDIA SANITIZATION
MP-6(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency for testing sanitization equipment and procedures to verify correct performance; and
(ii) the organization tests sanitization equipment and procedures to verify correct performance in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; media sanitization equipment test records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].


MP-6(3) MEDIA SANITIZATION
MP-6(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines circumstances requiring sanitization of portable, removable storage devices prior to connecting such devices to the information system; and
(ii) the organization sanitizes portable, removable storage devices prior to connecting such devices to the information system under organization-defined circumstances.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy and procedures; media sanitization records; audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].


MP-6(4) MEDIA SANITIZATION
MP-6(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization sanitizes information system media containing CUI or other sensitive information in accordance with applicable organizational and/or federal standards and policies.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; media sanitization equipment test records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].


MP-6(5) MEDIA SANITIZATION
MP-6(5).1 ASSESSMENT OBJECTIVE:
Determine if the organization sanitizes information system media containing classified information in accordance with NSA standards and policies.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy and procedures; media sanitization records; audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].


MP-6(6) MEDIA SANITIZATION
MP-6(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization implements the media destruction process for information system media that cannot be sanitized.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; media sanitization equipment test records; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].


PHYSICAL AND ENVIRONMENTAL PROTECTION

FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PE-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents physical and environmental protection policy;
(ii) the organization physical and environmental protection policy addresses:
(iii) the organization disseminates formal documented physical and environmental protection policy to elements within the organization having associated physical and environmental protection roles and responsibilities;
(iv) the organization develops and formally documents physical and environmental protection procedures;
(v) the organization physical and environmental protection procedures facilitate implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
(vi) the organization disseminates formal documented physical and environmental protection procedures to elements within the organization having associated physical and environmental protection roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities].
PE-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of physical and environmental protection policy reviews/updates;
(ii) the organization reviews/updates physical and environmental protection policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of physical and environmental protection procedure reviews/updates;
(iv) the organization reviews/updates physical and environmental protection procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-2 PHYSICAL ACCESS AUTHORIZATIONS
PE-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies areas within the facility that are publicly accessible;
(ii) the organization develops and keeps current lists of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); and
(iii) the organization issues authorization credentials (e.g., badges, identification cards, smart cards).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; authorization credentials; list of areas that are publicly accessible; other relevant documents or records].


PE-2.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency for review and approval of the physical access list and authorization credentials for the facility;
(ii) organization reviews and approves the access list and authorization credentials in accordance with the organization-defined frequency; and
(iii) the organization removes from the access list personnel no longer requiring access.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; other relevant documents or records].


PE-2(1) PHYSICAL ACCESS AUTHORIZATIONS
PE-2(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies personnel positions or roles authorized for physical access to the facility where the information system resides; and
(ii) the organization authorizes physical access to the facility where the information system resides based on position or role.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; physical access control logs or records; information system entry and exit points; other relevant documents or records].



PE-2(2) PHYSICAL ACCESS AUTHORIZATIONS
PE-2(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires two forms of identification to gain access to the facility where the information system resides.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; physical access control logs or records; information system entry and exit points; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility].


PE-2(3) PHYSICAL ACCESS AUTHORIZATIONS
PE-2(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies authorized personnel with appropriate clearances and access authorizations for gaining physical access to the facility containing an information system that processes classified information; and
(ii) the organization restricts physical access to the facility containing an information system that processes classified information to authorized personnel with appropriate clearances and access authorizations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; physical access control logs or records; information system entry and exit points; other relevant documents or records].



FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-3 PHYSICAL ACCESS CONTROL
PE-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible);
(ii) the organization verifies individual access authorizations before granting access to the facility;
(iii) the organization controls entry to the facility containing the information system using physical access devices (e.g., keys, locks, combinations, card readers) and/or guards;
(iv) the organization controls access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk; and
(v) the organization secures keys, combinations, and other physical access devices.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system entry and exit points; storage locations for physical access devices; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical access control responsibilities].
Test: [SELECT FROM: Physical access control capability; physical access control devices].
PE-3.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency for conducting inventories of physical access devices;
(ii) the organization inventories physical access devices in accordance with the organization-defined frequency;
(iii) the organization defines the frequency of changes to combinations and keys; and
(iv) the organization changes combinations and keys in accordance with the organization-defined frequency, and when keys are lost, combinations are compromised, or individuals are transferred or terminated.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; security plan; physical access control logs or records; inventory records of physical access devices; records of key and lock combination changes; storage locations for physical access devices; other relevant documents or records].


Test: [SELECT FROM: Physical access control devices].


PE-3(1) PHYSICAL ACCESS CONTROL
PE-3(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization enforces physical access authorizations to the information system independent of the physical access controls for the facility.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system entry and exit points; list of areas within the facility containing high concentrations of information system components or information system components requiring additional physical protection; other relevant documents or records].



PE-3(2) PHYSICAL ACCESS CONTROL
PE-3(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization performs security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or information system components.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; records of security checks; facility layout documentation; information system entry and exit points; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical access control responsibilities].


PE-3(3) PHYSICAL ACCESS CONTROL
PE-3(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization guards, alarms, and monitors every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; facility surveillance records; facility layout documentation; information system entry and exit points; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical access control responsibilities].


PE-3(4) PHYSICAL ACCESS CONTROL
PE-3(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines information system components to be protected from unauthorized physical access using lockable physical casings; and
(ii) the organization uses lockable physical casings to protect organization-defined information system components from unauthorized physical access.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; security plan; list of information system components requiring protection through lockable physical casings; lockable physical casings; other relevant documents or records].



PE-3(5) PHYSICAL ACCESS CONTROL
PE-3(5).1 ASSESSMENT OBJECTIVE:
Determine if the information system detects/prevents physical tampering or alteration of hardware components within the system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system design documentation; other relevant documents or records].
Test: [SELECT FROM: Physical access control capability].


PE-3(6) PHYSICAL ACCESS CONTROL
PE-3(6).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of unannounced attempts to be included in a penetration testing process to bypass or circumvent security controls associated with physical access points to the facility; and
(ii) the organization employs a penetration testing process that includes unannounced attempts, in accordance with the organization-defined frequency, to bypass or circumvent security controls associated with physical access points to the facility.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; procedures addressing penetration testing; rules of engagement and associated documentation; penetration test results; security plan; other relevant documents or records].



FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM
PE-4.1 ASSESSMENT OBJECTIVE:
Determine if the organization controls physical access to information system distribution and transmission lines within organizational facilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for transmission medium; information system design documentation; facility communications and wiring diagrams; other relevant documents or records].



FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-5 ACCESS CONTROL FOR OUTPUT DEVICES
PE-5.1 ASSESSMENT OBJECTIVE:
Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for display medium; facility layout of information system components; actual displays from information system components; other relevant documents or records].



FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-6 MONITORING PHYSICAL ACCESS
PE-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization monitors physical access to the information system to detect and respond to physical security incidents;
(ii) the organization defines the frequency to review physical access logs;
(iii) the organization reviews physical access logs in accordance with the organization-defined frequency; and
(iv) the organization coordinates results of reviews and investigations with the organization's incident response capability.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; security plan; physical access logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities].
Test: [SELECT FROM: Physical access monitoring capability].


PE-6(1) MONITORING PHYSICAL ACCESS
PE-6(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization monitors real-time physical intrusion alarms and surveillance equipment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; physical intrusion alarm/surveillance equipment logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities].
Test: [SELECT FROM: Physical access monitoring capability].


PE-6(2) MONITORING PHYSICAL ACCESS
PE-6(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to recognize potential intrusions and initiate designated response actions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; information system design documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing physical access monitoring capability].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-7 VISITOR CONTROL
PE-7.1 ASSESSMENT OBJECTIVE:
Determine if the organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].
Test: [SELECT FROM: Visitor access control capability].


PE-7(1) VISITOR CONTROL
PE-7(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization escorts visitors and monitors visitor activity, when required.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].


PE-7(2) VISITOR CONTROL
PE-7(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires two forms of identification for visitor access to the facility.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-8 ACCESS RECORDS
PE-8.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible);
(ii) the organization defines the frequency to review visitor access records;
(iii) the organization reviews the visitor access records in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; security plan; facility access control records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing physical access records].



PE-8(1) ACCESS RECORDS
PE-8(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to facilitate the maintenance and review of access records.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; automated mechanisms supporting management of access records; facility access control logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing physical access records].


PE-8(2) ACCESS RECORDS
PE-8(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization maintains a record of all physical access, both visitor and authorized individuals.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; facility access control logs or records; other relevant documents or records].



FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-9 POWER EQUIPMENT AND POWER CABLING
PE-9.1 ASSESSMENT OBJECTIVE:
Determine if the organization protects power equipment and power cabling for the information system from damage and destruction.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power equipment and cabling protection; facility housing power equipment and cabling; other relevant documents or records].



PE-9(1) POWER EQUIPMENT AND POWER CABLING
PE-9(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs redundant and parallel power cabling paths.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power equipment and cabling protection; facility housing power equipment and cabling; other relevant documents or records].



PE-9(2) POWER EQUIPMENT AND POWER CABLING
PE-9(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the critical information system components that require automatic voltage controls; and
(ii) the organization employs automatic voltage controls for organization-defined critical information system components
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing voltage control; security plan; list of critical information system components requiring automatic voltage controls; other relevant documents or records].



FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-10 EMERGENCY SHUTOFF
PE-10.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides the capability of shutting off power to the information system or individual system components in emergency situations;
(ii) the organization defines the location of emergency shutoff switches or devices by information system or system component;
(iii) the organization places emergency shutoff switches or devices in an organization-defined location by information system or system component to facilitate safe and easy access for personnel; and
(iv) the organization protects the emergency power shutoff capability from unauthorized activation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power source emergency shutoff; security plan; emergency shutoff controls or switches; other relevant documents or records].



PE-10(1) EMERGENCY SHUTOFF

[Withdrawn: Incorporated into PE-10].

PE-10(1).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into PE-10].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into PE-10].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-11 EMERGENCY POWER
PE-11.1 ASSESSMENT OBJECTIVE:
Determine if the organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; uninterruptible power supply documentation; uninterruptible power supply test records; other relevant documents or records].
Test: [SELECT FROM: Uninterruptible power supply].


PE-11(1) EMERGENCY POWER
PE-11(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; alternate power supply documentation; alternate power test records; other relevant documents or records].
Test: [SELECT FROM: Alternate power supply].


PE-11(2) EMERGENCY POWER
PE-11(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; alternate power supply documentation; alternate power test records; other relevant documents or records].
Test: [SELECT FROM: Alternate power supply].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-12 EMERGENCY LIGHTING
PE-12.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs automatic emergency lighting for the information system that activates in the event of a power outage or disruption;
(ii) the organization employs automatic emergency lighting for the information system that covers emergency exits and evacuation routes within the facility; and
(iii) the organization maintains the automatic emergency lighting for the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency lighting; emergency lighting documentation; emergency lighting test records; emergency exits and evacuation routes; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with emergency planning responsibilities].
Test: [SELECT FROM: Emergency lighting capability].


PE-12(1) EMERGENCY LIGHTING
PE-12(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency lighting; emergency lighting documentation; emergency lighting test records; emergency exits and evacuation routes; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with emergency planning responsibilities].
Test: [SELECT FROM: Emergency lighting capability].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-13 FIRE PROTECTION
PE-13.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and
(ii) the organization maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; test records of fire suppression and detection devices/systems; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].



PE-13(1) FIRE PROTECTION
PE-13(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs fire detection devices/systems for the information system that, without manual intervention, activate automatically and notify the organization and emergency responders in the event of a fire.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service level agreements; test records of fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
Test: [SELECT FROM: Simulated activation of fire detection devices/systems and automated notifications].


PE-13(2) FIRE PROTECTION
PE-13(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems documentation; facility housing the information system; alarm service level agreements; test records of fire suppression and detection devices/systems; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
Test: [SELECT FROM: Simulated activation of fire suppression devices/systems and automated notifications].


PE-13(3) FIRE PROTECTION
PE-13(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service level agreements; facility staffing plans; test records of fire suppression and detection devices/systems; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
Test: [SELECT FROM: Simulated activation of fire suppression devices/systems and automated notifications].


PE-13(4) FIRE PROTECTION
PE-13(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of fire marshal inspections for the facility;
(ii) the facility undergoes fire marshal inspections in accordance with the organization-defined frequency; and
(iii) the organization promptly resolves deficiencies identified by fire marshal inspections.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; security plan; facility housing the information system; fire marshal inspection results; test records of fire suppression and detection devices/systems; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-14 TEMPERATURE AND HUMIDITY CONTROLS
PE-14.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the acceptable temperature and humidity levels within the facility where the information system resides;
(ii) the organization maintains temperature and humidity levels within the facility where the information system resides in accordance with organization-defined acceptable levels;
(iii) the organization defines the frequency to monitor temperature and humidity levels; and
(iv) the organization monitors the temperature and humidity levels within the facility where the information system resides in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity control; security plan; temperature and humidity controls; facility housing the information system; temperature and humidity controls documentation; temperature and humidity records; other relevant documents or records].



PE-14(1) TEMPERATURE AND HUMIDITY CONTROLS
PE-14(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity controls; facility housing the information system; automated mechanisms for temperature and humidity; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing temperature and humidity controls].


PE-14(2) TEMPERATURE AND HUMIDITY CONTROLS
PE-14(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity monitoring; facility housing the information system; logs or records of temperature and humidity monitoring; records of changes to temperature and humidity levels that generate alarms or notifications; other relevant documents or records].
Test: [SELECT FROM: Temperature and humidity monitoring capability].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-15 WATER DAMAGE PROTECTION
PE-15.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible and working properly; and
(ii) key personnel within the organization have knowledge of the master water shutoff values.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the information system; master shutoff valves; list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system; master shutoff valve documentation; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with physical and environmental protection responsibilities].
Test: [SELECT FROM: Master water-shutoff valves; process for activating master water-shutoff].


PE-15(1) WATER DAMAGE PROTECTION
PE-15(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a water leak.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the information system; automated mechanisms for water shutoff valves; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing master water shutoff valve activation].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-16 DELIVERY AND REMOVAL
PE-16.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the types of information system components to be authorized, monitored, and controlled as such components are entering or exiting the facility;
(ii) the organization authorizes, monitors, and controls organization-defined information system components entering and exiting the facility; and
(iii) the organization maintains records of information system components entering and exiting the facility.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing delivery and removal of information system components from the facility; security plan; facility housing the information system; records of items entering and exiting the facility; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with responsibilities for controlling information system components entering and exiting the facility].
Test: [SELECT FROM: Process for controlling information system-related items entering and exiting the facility].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-17 ALTERNATE WORK SITE
PE-17.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the management, operational, and technical information system security controls to be employed at alternate work sites;
(ii) the organization employs organization-defined management, operational, and technical information system security controls at alternate work sites;
(iii) the organization assesses, as feasible, the effectiveness of security controls at alternate work sites; and
(iv) the organization provides a means for employees to communicate with information security personnel in case of security incidents or problems.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing alternate work sites for organizational personnel; security plan; list of management, operational, and technical security controls required for alternate work sites; assessments of security controls at alternate work sites; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel using alternate work sites].



FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS
PE-18.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization positions information system components within the facility to minimize potential damage from physical and environmental hazards; and
(ii) the organization positions information system components within the facility to minimize the opportunity for unauthorized access.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing positioning of information system components; documentation providing the location and position of information system components within the facility; other relevant documents or records].



PE-18(1) LOCATION OF INFORMATION SYSTEM COMPONENTS
PE-18(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards; and
(ii) the organization, for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; physical site planning documents; organizational assessment of risk, contingency plan; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with site selection responsibilities for the facility housing the information system].


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PE-19 INFORMATION LEAKAGE
PE-19.1 ASSESSMENT OBJECTIVE:
Determine if the organization protects the information system from information leakage due to electromagnetic signals emanations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing information leakage due to electromagnetic signals emanations; mechanisms protecting the information system against electronic signals emanation; facility housing the information system; records from electromagnetic signals emanation tests; other relevant documents or records].
Test: [SELECT FROM: Information system for information leakage due to electromagnetic signals emanations].


PE-19(1) INFORMATION LEAKAGE
PE-19(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system components, associated data communications, and networks are protected in accordance with:
  • national emissions and TEMPEST policies and procedures; and
  • the sensitivity of the information being transmitted.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing information leakage that comply with national emissions and TEMPEST policies and procedures; information system component design documentation; information system configuration settings and associated documentation other relevant documents or records].
Test: [SELECT FROM: Information system components for compliance with national emissions and TEMPEST policies and procedures].


PLANNING

FAMILY: PLANNING CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PL-1 SECURITY PLANNING POLICY AND PROCEDURES
PL-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents security planning policy;
(ii) the organization security planning policy addresses:
(iii) the organization disseminates formal documented security planning policy to elements within the organization having associated security planning roles and responsibilities;
(iv) the organization develops and formally documents security planning procedures;
(v) the organization security planning procedures facilitate implementation of the security planning policy and associated security planning controls; and
(vi) the organization disseminates formal documented security planning procedures to elements within the organization having associated security planning roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security planning responsibilities].
PL-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of security planning policy reviews/updates;
(ii) the organization reviews/updates security planning policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of security planning procedure reviews/updates;
(iv) the organization reviews/updates security planning procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security planning responsibilities].


FAMILY: PLANNING CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PL-2 SYSTEM SECURITY PLAN
PL-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops a security plan for the information system that:
  • is consistent with the organization's enterprise architecture;
  • explicitly defines the authorization boundary for the system;
  • describes the operational context of the information system in terms of mission and business processes;
  • provides the security categorization of the information system including supporting rationale;
  • describes the operational environment for the information system;
  • describes relationships with or connections to other information systems;
  • provides an overview of the security requirements for the system;
  • describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions; and
  • is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
(ii) the organization defines the frequency of security plan reviews;
(iii) the organization reviews the security plan in accordance with the organization-defined frequency; and
(iv) the organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan for the information system; records of security plan reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with security planning and plan implementation responsibilities for the information system].



PL-2(1) SYSTEM SECURITY PLAN
PL-2(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum:
(ii) the organization defines the frequency of reviews and updates to the CONOPS; and
(iii) the organization reviews and updates the CONOPS in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing security CONOPS development; procedures addressing security CONOPS reviews and updates; security CONOPS for the information system; security plan for the information system; records of security CONOPS reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with security planning and plan implementation responsibilities for the information system].


PL-2(2) SYSTEM SECURITY PLAN
PL-2(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization develops a functional architecture for the information system that identifies and maintains:
  • external interfaces, the information being exchanged across the interfaces, and the protection mechanisms associated with each interface;
  • user roles and the access privileges assigned to each role;
  • unique security requirements;
  • types of information processed, stored, or transmitted by the information system and any specific protection needs in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; and
  • restoration priority of information or information system services.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; access control policy; contingency planning policy; security plan for the information system; contingency plan for the information system; information system design documentation; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with security planning and plan implementation responsibilities for the information system].


FAMILY: PLANNING CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PL-3 SYSTEM SECURITY PLAN UPDATE

[Withdrawn: Incorporated into PL-2].

PL-3.1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into PL-2].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into PL-2].



FAMILY: PLANNING CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PL-4 RULES OF BEHAVIOR
PL-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes the rules that describe information system user responsibilities and expected behavior with regard to information and information system usage;
(ii) the organization makes the rules available to all information system users; and
(iii) the organization receives a signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing rules of behavior for information system users; rules of behavior; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel who are authorized users of the information system and have signed rules of behavior].



PL-4(1) RULES OF BEHAVIOR
PL-4(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization includes in the rules of behavior:
  • explicit restrictions on the use of social networking sites;
  • posting information on commercial websites; and
  • sharing information system account information.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing rules of behavior for information system users; rules of behavior; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel who are authorized users of the information system and have signed rules of behavior].


FAMILY: PLANNING CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PL-5 PRIVACY IMPACT ASSESSMENT
PL-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization conducts a privacy impact assessment on the information system; and
(ii) the privacy impact assessment is in accordance with OMB policy.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing privacy impact assessments on the information system; privacy impact assessment; other relevant documents or records].



FAMILY: PLANNING CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PL-6 SECURITY-RELATED ACTIVITY PLANNING
PL-6.1 ASSESSMENT OBJECTIVE:
Determine if the organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation), organizational assets, and individuals.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Security planning policy; procedures addressing security-related activity planning for the information system; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security planning and plan implementation responsibilities].



PROGRAM MANAGEMENT

FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-1 INFORMATION SECURITY PROGRAM PLAN
PM-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops an information security program plan for the organization that:
  • provides an overview of the requirements for the security program;
  • provides a description of the security program management controls and common controls in place or planned for meeting security program requirements;
  • provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended;
  • includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
  • is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations and the Nation;
(ii) the organization defines the frequency of information security program plan reviews;
(iii) the organization reviews the organization-wide information security program plan in accordance with the organization-defined frequency;
(iv) the organization revises the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
(v) the organization disseminates the most recent information security program plan to appropriate entities in the organization.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; procedures addressing information security program plan development and implementation; procedures addressing information security program plan reviews and updates; information security program plan; program management controls documentation; common controls documentation; records of information security program plan reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security planning and plan implementation responsibilities for the information security program].



FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-2 SENIOR INFORMATION SECURITY OFFICER
PM-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) organization appoints a senior information security officer to coordinate, develop, implement, and maintain an organization-wide information security program; and
(ii) the organization empowers the senior information security officer with the mission and resources required to coordinate, develop, implement, and maintain an organization-wide information security program.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; information security program plan; documentation addressing roles and responsibilities of the senior information security officer position; information security program mission statement; other relevant documents or records].
Interview: [SELECT FROM: Organizational person appointed to the senior information security officer position].



FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-3 INFORMATION SECURITY RESOURCES
PM-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization includes in its capital planning and investment requests the resources needed to implement the information security program;
(ii) the organization documents all exceptions to the requirement that all capital planning and investment requests include the resources needed to implement the information security program;
(iii) the organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
(iv) the organization makes the required information security resources available for expenditure as planned.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; capital planning and investment policy; procedures addressing management and oversight for information security-related aspects of the capital planning and investment control process; capital planning and investment documentation; documentation of exceptions supporting capital planning and investment requests; business cases; Exhibit 300; Exhibit 53; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel managing and overseeing the information security-related aspects of the capital planning and investment control process].



FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-4 PLAN OF ACTION AND MILESTONES PROCESS
PM-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization implements a process to maintain plans of action and milestones for the security program and the associated organizational information systems; and
(ii) the organization implements a process to document the remedial information security actions that mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; plan of action and milestones policy; procedures addressing plan of action and milestones process; plan of action and milestones for the security program; plan of action and milestones for organizational information systems; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with plan of action and milestones development and implementation responsibilities].



FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-5 INFORMATION SYSTEM INVENTORY
PM-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops an inventory of its information systems; and
(ii) the organization maintains an inventory of its information systems.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; procedures addressing information system inventory development and maintenance; information system inventory records, other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system inventory development and maintenance responsibilities].



FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-6 INFORMATION SECURITY MEASURES OF PERFORMANCE
PM-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops information security measures of performance;
(ii) the organization monitors information security measures of performance; and
(iii) the organization reports on the results of information security measures of performance.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; procedures addressing development, monitoring, and reporting of information security performance measures; information security performance metrics; information security performance measures; results of information security performance measures; other relevant documents or records].



FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-7 ENTERPRISE ARCHITECTURE
PM-7.1 ASSESSMENT OBJECTIVE:
Determine if the organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; enterprise architecture policy; procedures addressing information security-related aspects of enterprise architecture development; system development life cycle documentation; enterprise architecture documentation; enterprise security architecture documentation; other relevant documents or records].



FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-8 CRITICAL INFRASTRUCTURE PLAN
PM-8.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and documents a critical infrastructure and key resource protection plan;
(ii) the organization updates the critical infrastructure and key resource protection plan; and
(iii) the organization addresses information security issues in the critical infrastructure and key resource protection plan.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; critical infrastructure protection policy; procedures addressing critical infrastructure plan development and implementation; procedures addressing critical infrastructure plan reviews and updates; records of critical infrastructure plan reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with critical infrastructure plan development and implementation responsibilities].



FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-9 RISK MANAGEMENT STRATEGY
PM-9.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; and
(ii) the organization implements that strategy consistently across the organization.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; risk management policy; procedures addressing risk management strategy development and implementation; risk management strategy (including risk identification, assessment, mitigation, acceptance, and monitoring methodologies); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with risk management strategy development and implementation responsibilities].



FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-10 SECURITY AUTHORIZATION PROCESS
PM-10.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization manages (i.e., documents, tracks, and reports) the security state of organizational information systems through security authorization processes;
(ii) the organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
(iii) the organization fully integrates the security authorization processes into an organization-wide risk management program.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; security assessment and authorization policy; risk management policy; procedures addressing security authorization processes; security authorization package (including security plan, security assessment report, plan of action and milestones, authorization statement); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security authorization responsibilities for information systems; organizational personnel with risk management responsibilities].



FAMILY: PROGRAM MANAGEMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
PM-11 MISSION / BUSINESS PROCESS DEFINITION
PM-11.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
(ii) the organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Information security program policy; risk management policy; procedures addressing security categorization of organizational information and information systems; organizational mission/business processes; risk management strategy (including risk identification, assessment, mitigation, acceptance, and monitoring methodologies); other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with mission/business process definition responsibilities; organizational personnel with security categorization and risk management responsibilities for the information security program].



PERSONNEL SECURITY

FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES
PS-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents personnel security policy;
(ii) the organization personnel security policy addresses:
(iii) the organization disseminates formal documented personnel security policy to elements within the organization having associated personnel security roles and responsibilities;
(iv) the organization develops and formally documents personnel security procedures;
(v) the organization personnel security procedures facilitate implementation of the personnel security policy and associated personnel security controls; and
(vi) the organization disseminates formal documented personnel security procedures to elements within the organization having associated personnel security roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy and procedures, other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].
PS-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of personnel security policy reviews/updates;
(ii) the organization reviews/updates personnel security policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of personnel security procedure reviews/updates;
(iv) the organization reviews/updates personnel security procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PS-2 POSITION CATEGORIZATION
PS-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization assigns a risk designations to all positions within the organization;
(ii) the organization establishes a screening criteria for individuals filling organizational positions;
(iii) the organization defines the frequency of risk designation reviews and updates for organizational positions; and
(iv) the organization reviews and revises position risk designations in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing position categorization; appropriate codes of federal regulations; list of risk designations for organizational positions; security plan; records of risk designation reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PS-3 PERSONNEL SCREENING
PS-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization screens individuals prior to authorizing access to the information system;
(ii) the organization defines conditions requiring re-screening and, where re-screening is so indicated, the frequency of such re-screening; and
(iii) the organization re-screens individuals according to organization-defined conditions requiring re-screening and, where re-screening is so indicated, the organization-defined frequency of such re-screening.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



PS-3(1) PERSONNEL SCREENING
PS-3(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization ensures that every user accessing an information system processing, storing, or transmitting classified information is cleared to the highest classification level of the information on the system; and
(ii) the organization ensures that every user accessing an information system processing, storing, or transmitting classified information is indoctrinated to the highest classification level of the information on the system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].


PS-3(2) PERSONNEL SCREENING
PS-3(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization formally indoctrinates every user accessing an information system that processes, stores, or transmits types of classified information requiring formal indoctrination for all of the relevant types of information on the system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PS-4 PERSONNEL TERMINATION
PS-4.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization terminates information system access upon termination of individual employment;
(ii) the organization conducts exit interviews of terminated personnel;
(iii) the organization retrieves all security-related organizational information system-related property from terminated personnel; and
(iv) the organization retains access to organizational information and information systems formerly controlled by terminated personnel.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel termination; records of personnel termination actions; list of information system accounts; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PS-5 PERSONNEL TRANSFER
PS-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization;
(ii) the organization defines the transfer or reassignment actions and the time period within which the actions must occur following formal transfer or reassignment; and
(iii) the organization initiates the organization-defined transfer or reassignment actions within an organization-defined time period following formal transfer or reassignment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel transfer; security plan; records of personnel transfer actions; list of information system and facility access authorizations; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PS-6 ACCESS AGREEMENTS
PS-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies appropriate access agreements for individuals requiring access to organizational information and information systems;
(ii) individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;
(iii) the organization defines the frequency of reviews/updates for access agreements; and
(iv) the organization reviews/updates the access agreements in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and information systems; security plan; access agreements; records of access agreement reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



PS-6(1) ACCESS AGREEMENTS
PS-6(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization grants access to information with special protection measures only to individuals who:
  • have a valid access authorization that is demonstrated by assigned official government duties; and
  • satisfy associated personnel security criteria.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and information systems; access agreements; access authorizations; personnel security criteria; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].


PS-6(2) ACCESS AGREEMENTS
PS-6(2).1 ASSESSMENT OBJECTIVE:
Determine if: the organization grants access to classified information with special protection measures only to individuals who:
  • have a valid access authorization that is demonstrated by assigned official government duties;
  • satisfy associated personnel security criteria; and
  • have read, understand, and signed a nondisclosure agreement.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and information systems; access agreements; access authorizations; personnel security criteria; signed nondisclosure agreements; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].


FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PS-7 THIRD-PARTY PERSONNEL SECURITY
PS-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes personnel security requirements, including security roles and responsibilities, for third-party providers
(ii) the organization documents personnel security requirements for third-party providers; and
(iii) the organization monitors third-party provider compliance with personnel security requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing third-party personnel security; list of personnel security requirements; acquisition documents; compliance monitoring process; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities; third-party providers].



FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL


ASSESSMENT PROCEDURE
PS-8 PERSONNEL SANCTIONS
PS-8.1 ASSESSMENT OBJECTIVE:
Determine if the organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel sanctions; rules of behavior; records of formal sanctions; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].



RISK ASSESSMENT

FAMILY: RISK ASSESSMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
RA-1 RISK ASSESSMENT POLICY AND PROCEDURES
RA-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents risk assessment policy;
(ii) the organization risk assessment policy addresses:
(iii) the organization disseminates formal documented risk assessment policy to elements within the organization having associated risk assessment roles and responsibilities;
(iv) the organization develops and formally documents risk assessment procedures;
(v) the organization risk assessment procedures facilitate implementation of the risk assessment policy and associated risk assessment controls; and
(vi) the organization disseminates formal documented risk assessment procedures to elements within the organization having associated risk assessment roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities].
RA-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of risk assessment policy reviews/updates;
(ii) the organization reviews/updates risk assessment policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of risk assessment procedure reviews/updates;
(iv) the organization reviews/updates risk assessment procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities].


FAMILY: RISK ASSESSMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
RA-2 SECURITY CATEGORIZATION
RA-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
(ii) the organization documents the security categorization results (including supporting rationale) in the security plan for the information system; and
(iii) the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing security categorization of organizational information and information systems; security planning policy and procedures; security plan; security categorization documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with security categorization and risk assessment responsibilities].



FAMILY: RISK ASSESSMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
RA-3 RISK ASSESSMENT
RA-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm, from the unauthorized:
(ii) the organization defines the document in which risk assessment results are documented, selecting from the security plan, risk assessment report, or other organization-defined document;
(iii) the organization documents risk assessment results in the organization-defined document;
(iv) the organization defines the frequency for review of the risk assessment results;
(v) the organization reviews risk assessment results in accordance with the organization-defined frequency;
(vi) the organization defines the frequency that risk assessments are updated; and
(vii) the organization updates the risk assessment in accordance with the organization-defined frequency or whenever there are significant changes to the information system or environment of operation, or other conditions that may impact the security state of the system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; security plan; risk assessment; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities].



FAMILY: RISK ASSESSMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
RA-4 RISK ASSESSMENT UPDATE

[Withdrawn: Incorporated into RA-3].

RA-4.1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into RA-3].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into RA-3].



FAMILY: RISK ASSESSMENT CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
RA-5 VULNERABILITY SCANNING
RA-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines:
  • the frequency for conducting vulnerability scans on the information system and hosted applications and/or;
  • the organization-defined process for conducting random vulnerability scans on the information system and hosted applications;
(ii) the organization scans for vulnerabilities in the information system and hosted applications in accordance with the organization-defined frequency and/or the organization-defined process for random scans;
(iii) the organization scans for vulnerabilities in the information system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported;
(iv) the organization employs vulnerability scanning tools and techniques that use standards to promote interoperability among tools and automate parts of the vulnerability management process that focus on:
  • enumerating platforms, software flaws, and improper configurations;
  • formatting/and making transparent checklists and test procedures; and
  • measuring vulnerability impact, and
(v) the organization analyzes vulnerability scan reports and results from security control assessments.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with risk assessment and vulnerability scanning responsibilities].
RA-5.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the response times for remediating legitimate vulnerabilities in accordance with an organizational assessment of risk;
(ii) the organization remediates legitimate vulnerabilities in accordance with organization-defined response times; and
(iii) the organization shares information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with risk assessment and vulnerability scanning responsibilities].


RA-5(1) VULNERABILITY SCANNING
RA-5(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization uses vulnerability scanning tools that have the capability to readily update the list of information system vulnerabilities scanned.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; vulnerability scanning tools and techniques documentation; records of updates to vulnerabilities scanned; other relevant documents or records].
Test: [SELECT FROM: Vulnerability scanning capability and associated scanning tools].


RA-5(2) VULNERABILITY SCANNING
RA-5(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of updates for information system vulnerabilities scanned; and
(ii) the organization updates the list of information system vulnerabilities scanned in accordance with the organization-defined frequency or when new vulnerabilities are identified and reported.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; list of vulnerabilities scanned; records of updates to vulnerabilities scanned; other relevant documents or records].



RA-5(3) VULNERABILITY SCANNING
RA-5(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs vulnerability scanning procedures that can demonstrate the breadth of coverage (i.e., information system components scanned); and
(ii) the organization employs vulnerability scanning procedures that can demonstrate the depth of coverage (i.e., vulnerabilities checked).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; list of vulnerabilities scanned and information system components checked; other relevant documents or records].



RA-5(4) VULNERABILITY SCANNING
RA-5(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization attempts to discern what information about the information system is discoverable by adversaries.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; penetration test results; vulnerability scanning results; other relevant documents or records].



RA-5(5) VULNERABILITY SCANNING
RA-5(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the list of information system components to which privileged access is authorized for selected vulnerability scanning activities; and
(ii) the organization includes privileged access authorization to organization-defined information system components identified for selected vulnerability scanning activities to facilitate more thorough scanning.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; security plan; list of information system components for vulnerability scanning; personnel access authorization list; authorization credentials; access authorization records; other relevant documents or records].



RA-5(6) VULNERABILITY SCANNING
RA-5(6).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; vulnerability scanning tools and techniques documentation; vulnerability scanning results; other relevant documents or records].
Test: [SELECT FROM: Vulnerability scanning capability and associated scanning tools].


RA-5(7) VULNERABILITY SCANNING
RA-5(7).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency for employing automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials; and
(ii) the organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated officials in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; security plan; information system design documentation; list of unauthorized software; notifications or alerts of unauthorized software on organizational information systems; other relevant documents or records].
Test: [SELECT FROM: Vulnerability scanning capability and associated scanning tools].


RA-5(8) VULNERABILITY SCANNING
RA-5(8).1 ASSESSMENT OBJECTIVE:
Determine if the organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; audit logs; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with vulnerability scanning responsibilities].


RA-5(9) VULNERABILITY SCANNING
RA-5(9).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs an independent penetration agent or penetration team to:
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Risk assessment policy; security assessment policy; procedures addressing vulnerability analysis; risk assessment; security plan; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with vulnerability scanning and analysis responsibilities].


SYSTEM AND SERVICES ACQUISITION

FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
SA-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents system services and acquisition policy;
(ii) the organization system services and acquisition policy addresses:
(iii) the organization disseminates formal documented system services and acquisition policy to elements within the organization having associated system services and acquisition roles and responsibilities;
(iv) the organization develops and formally documents system services and acquisition procedures;
(v) the organization system services and acquisition procedures facilitate implementation of the system and services acquisition policy and associated system services and acquisition controls; and
(vi) the organization disseminates formal documented system services and acquisition procedures to elements within the organization having associated system services and acquisition roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities].
SA-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of system services and acquisition policy reviews/updates;
(ii) the organization reviews/updates system services and acquisition policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of system services and acquisition procedure reviews/updates;
(iv) the organization reviews/updates system services and acquisition procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities].


FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-2 ALLOCATION OF RESOURCES
SA-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization includes a determination of the information security requirements for the information system in mission/business process planning;
(ii) the organization determines, documents, and allocates the resources required to protect the information system as part of its capital planning and investment control process; and
(iii) the organization establishes a discrete line item for information security in organizational programming and budgeting documentation. ASSESSMENT METHODS AND OBJECTS:
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the allocation of resources to information security requirements; organizational programming and budgeting documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with capital planning and investment responsibilities].



FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-3 LIFE CYCLE SUPPORT
SA-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization manages the information system using a system development life cycle methodology that includes information security considerations;
(ii) the organization defines and documents information system security roles and responsibilities throughout the system development life cycle; and
(iii) the organization identifies individuals having information system security roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; information system development life cycle documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information security and system life cycle development responsibilities].



FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-4 ACQUISITIONS
SA-4.1 ASSESSMENT OBJECTIVE:
Determine if the organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards:
  • security functional requirements/specifications;
  • security-related documentation requirements; and
  • developmental and evaluation-related assurance requirements.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; acquisition contracts for information systems or services; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].



SA-4(1) ACQUISITIONS
SA-4(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires in acquisition documents that vendors/contractors provide information describing in the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].



SA-4(2) ACQUISITIONS
SA-4(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires in acquisition documents that vendors/contractors provide information describing the design and implementation details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].



SA-4(3) ACQUISITIONS
SA-4(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development processes employ:
  • state-of-the-practice software and security engineering methods;
  • quality control processes; and
  • validation techniques.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].



SA-4(4) ACQUISITIONS
SA-4(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization explicitly assigns each acquired information system component to an information system; and
(ii) the owner of the system acknowledges each assignment of information system components to the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; information system owner].


SA-4(5) ACQUISITIONS
SA-4(5).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization requires in acquisition documents that information system components are delivered in a secure, documented configuration; and
(ii) the organization requires in acquisition documents that the secure configuration is the default configuration for any software reinstalls or upgrades.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].



SA-4(6) ACQUISITIONS
SA-4(6).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
(ii) the organization ensures that these products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].


SA-4(7) ACQUISITIONS
SA-4(7).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization limits the use of commercially-provided information technology products to those products that have been successfully evaluated against a validated U.S. Government Protection Profile for a specific technology type, if such a profile exists;
(ii) the organization requires a commercially-provided information technology product to rely on cryptographic functionality to enforce its security policy when no U.S. Government Protection Profile exists for such a specific technology type; and
(iii) the organization requires the use of a FIPS-validated, cryptographic module for a technology product that relies on cryptographic functionality to enforce its security policy when no U.S. Government Protection Profile exists for such a specific technology type.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].


FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-5 INFORMATION SYSTEM DOCUMENTATION
SA-5.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes:
  • secure configuration, installation, and operation of the information system;
  • effective use and maintenance of the security features/functions; and
  • known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
(ii) the organization obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes:
  • user-accessible security features/functions and how to effectively use those security features/functions;
  • methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and
  • user responsibilities in maintaining the security of the information and information system; and
(iii) the organization documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system documentation including administrator and user guides; records documenting attempts to obtain unavailable or nonexistent information system documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system].



SA-5(1) INFORMATION SYSTEM DOCUMENTATION
SA-5(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation; and
(ii) the documentation describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; organizational personnel operating, using, and/or maintaining the information system].


SA-5(2) INFORMATION SYSTEM DOCUMENTATION
SA-5(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation; and
(ii) the documentation describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system security documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system].


SA-5(3) INFORMATION SYSTEM DOCUMENTATION
SA-5(3).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation; and
(ii) the documentation describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; organizational personnel operating, using, and/or maintaining the information system].


SA-5(4) INFORMATION SYSTEM DOCUMENTATION
SA-5(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation, and
(ii) the documentation describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system security documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system].


SA-5(5) INFORMATION SYSTEM DOCUMENTATION
SA-5(5).1 ASSESSMENT OBJECTIVE:
Determine if the organization obtains, protects as required, and makes available to authorized personnel, the source code for the information system to permit analysis and testing.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; information system source code documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; organizational personnel operating, using, and/or maintaining the information system].


FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-6 SOFTWARE USAGE RESTRICTIONS
SA-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization uses software and associated documentation in accordance with contract agreements and copyright laws;
(ii) the organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and
(iii) the organization controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing software usage restrictions; site license documentation; list of software usage restrictions; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].



SA-6(1) SOFTWARE USAGE RESTRICTIONS
SA-6(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization prohibits the use of binary or machine executable code from sources with limited or no warranty without accompanying source code;
(ii) the organization provides exceptions to the source code requirement only when no alternative solutions are available to support compelling mission/operational requirements; and
(iii) the organization obtains express written consent of the authorizing official for exceptions to the source code requirement.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].


FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-7 USER-INSTALLED SOFTWARE
SA-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies and documents (as appropriate) explicit rules to be enforced when governing the installation of software by users; and
(ii) the organization (or information system) enforces explicit rules governing the installation of software by users.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing user installed software; list of rules governing user installed software; network traffic on the information system; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].
Test: [SELECT FROM: Enforcement of rules for user installed software on the information system; information system for prohibited software].


FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-8 SECURITY ENGINEERING PRINCIPLES
SA-8.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) The organization applies information system security engineering principles in the specification of the information system;
(ii) the organization applies information system security engineering principles in the design of the information system;
(iii) the organization applies information system security engineering principles in the development of the information system;
(iv) the organization applies information system security engineering principles in the implementation of the information system; and
(v) the organization applies information system security engineering principles in the modification of the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing security engineering principles used in the development and implementation of the information system; information system design documentation; security requirements and security specifications for the information system; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system design, development, implementation, and modification responsibilities].



FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-9 EXTERNAL INFORMATION SYSTEM SERVICES
SA-9.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
(ii) the organization defines and documents government oversight, and user roles and responsibilities with regard to external information system services; and
(iii) the organization monitors security control compliance by external service providers.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing external information system services; acquisition contracts and service level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; external providers of information system services].



SA-9(1) SOFTWARE USAGE RESTRICTIONS
SA-9(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services;
(ii) the organization defines the senior organizational official designated to approve the acquisition or outsourcing of dedicated information security services; and
(iii) the designated senior organizational official approves the acquisition or outsourcing of dedicated information security services.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; risk assessment reports; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].


FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-10 DEVELOPER CONFIGURATION MANAGEMENT
SA-10.1 ASSESSMENT OBJECTIVE:
Determine if the organization requires that information system developers/integrators:
(i) perform configuration management during information system:
  • design;
  • development;
  • implementation; and
  • operation;
(ii) manage and control changes to the information system during:
  • design;
  • development;
  • implementation; and
  • modification;
(iii) implement only organization-approved changes;
(iv) document approved changes to the information system; and
(v) track security flaws and flaw resolution.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator configuration management; acquisition contracts and service level agreements; information system developer/integrator configuration management plan; security flaw tracking records; system change authorization records; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with information system security, acquisition, and contracting responsibilities; organization personnel with configuration management responsibilities].



SA-10(1) DEVELOPER CONFIGURATION MANAGEMENT
SA-10(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization requires that information system developers/integrators provide an integrity check of software to facilitate organizational verification of software integrity after delivery.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator configuration management; acquisition contracts and service level agreements; information system developer/integrator configuration management plan; security flaw tracking records; system change authorization records; other relevant documents or records].



SA-10(2) DEVELOPER CONFIGURATION MANAGEMENT
SA-10(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization provides an alternative configuration management process with organizational personnel in the absence of a dedicated developer/integrator configuration management team.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator configuration management; acquisition contracts and service level agreements; information system configuration management plan; security flaw tracking records; system change authorization records; other relevant documents or records].



FAMILY: SYSTEM AND SERVICES ACQUISITION CLASS: MANAGEMENT


ASSESSMENT PROCEDURE
SA-11 DEVELOPER SECURITY TESTING
SA-11.1 ASSESSMENT OBJECTIVE:
Determine if the organization requires that information system developers/integrators, in consultation with associated security personnel (including security engineers):
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator security testing; acquisition contracts and service level agreements; information system developer/integrator security test plans; records of developer/integrator security testing results for the information system; security flaw tracking records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with developer security testing responsibilities].



SA-11(1) DEVELOPER SECURITY TESTING
SA-11(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization requires that information system developers/integrators employ code analysis tools to examine software for common flaws; and
(ii) the organization requires that information system developers/integrators document the results of the analysis.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator security testing; acquisition contracts and service level agreements; information system developer/integrator security test plans; records of developer/integrator security testing results for the information system; security flaw tracking records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with developer security testing responsibilities].


SA-11(2) DEVELOPER SECURITY TESTING