Doc:NIST SP 800-53Ar1 FPD Appendix F/Enhanced/AC

Template:Doc:NIST SP 800-53r3 Appendix F/AC-1

Determine if: (i) the organization develops and formally documents access control policy; (ii) the organization access control policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented access control policy to elements within the organization having associated access control roles and responsibilities; (iv) the organization develops and formally documents access control procedures; (v) the organization access control procedures facilitate implementation of the access control policy and associated access controls; and (vi) the organization disseminates formal documented access control procedures to elements within the organization having associated access control roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with access control responsibilities].

Determine if: (i) the organization defines the frequency of access control policy reviews/updates; (ii) the organization reviews/updates access control policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of access control procedure reviews/updates; and (iv) the organization reviews/updates access control procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with access control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-2

Determine if: (i) the organization manages information system accounts, including; identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary); establishing conditions for group membership; identifying authorized users of the information system and specifying access privileges; requiring appropriate approvals for requests to establish accounts; establishing, activating, modifying, disabling, and removing accounts; specifically authorizing and monitoring the use of guest/anonymous and temporary accounts; notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes; deactivating: i) temporary accounts that are no longer required; and ii) accounts of terminated or transferred users; and granting access to the system based on: a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions; and (ii) the organization defines the frequency of information system account reviews; and (iii) the organization reviews information system accounts in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing account management; security plan; list of active system accounts along with the name of the individual associated with each account; list of guest/anonymous and temporary accounts along with the name of the individual associated with the each account and the date the account expires; lists of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; system-generated records with user IDs and last login date; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with account management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-2/1

Determine if the organization employs automated mechanisms to support information system account management functions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing account management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-2/2

Determine if: (i) the organization defines a time period for each type of account after which the information system terminates temporary and emergency accounts; and (ii) the information system automatically terminates temporary and emergency accounts after organization-defined time period for each type of account.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of active accounts; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing account management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-2/3

Determine if: (i) the organization defines in a time period after which the information system disables inactive accounts; and (ii) the information system automatically disables inactive accounts after organization-defined time period.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of last login dates; information system-generated list of active accounts; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing account management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-2/4

Determine if: (i) the information system automatically audits: account creation; modification; disabling; and termination actions; and (ii) the information system notifies, as required, appropriate individuals.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing account management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-2/5

Determine if: (i) the organization defines the time period of expected inactivity and/or description of when users log out; (ii) the organization requires that users log out in accordance with the organization-defined time-period of inactivity and/or description of when to log out; (iii) the organization determines normal time-of-day and duration usage for information system accounts; (iv) the organization monitors for atypical usage of information system accounts; and (v) the organization reports atypical usage to designated organizational officials.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; security violation reports; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with account management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-2/6

Determine if the information system dynamically manages user privileges and associated access authorizations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with account management responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing account management functions].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-2/7

Determine if: (i) the organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles; and (ii) the organization tracks and monitors privileged role assignments.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system-generated list of privileged user accounts and associated role; information system audit records; audit tracking and monitoring reports; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with account management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-3

Determine if the information system enforces approved authorizations for logical access to the system in accordance with applicable policy.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information system configuration settings and associated documentation; list of approved authorizations (user privileges); information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy].

[Withdrawn: Incorporated into AC-6].

[Withdrawn: Incorporated into AC-6].

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

[Withdrawn: Incorporated into AC-6].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-3/2

Determine if: (i) the organization defines, in organizational policies and procedures, the privileged commands for which dual authorization is to be enforced; and (ii) the information system enforces dual authorization based on organizational policies and procedures for organization-defined privileged commands.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement and dual authorization; security plan; information system design documentation; information system configuration settings and associated documentation; list of privileged commands requiring dual authorization; list of approved authorizations (user privileges); other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities].

Test: [SELECT FROM: Dual authorization mechanisms implementing access control policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-3/3

Determine if: (i) the organization defines the users and resources over which the information system is to enforce nondiscretionary access control policies; (ii) the organization defines nondiscretionary access control policies to be enforced over the organization-defined set of users and resources, where the rule set for each policy specifies: access control information (i.e., attributes) employed by the policy rule set (e.g., position, nationality, age, project, time of day); and required relationships among the access control information to permit access; and (iii) the information system enforces organization-defined nondiscretionary access control policies over the organization-defined set of users and resources.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; nondiscretionary access control policies; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; list of users and resources requiring enforcement of nondiscretionary access control policies; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing nondiscretionary access control policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-3/4

Determine if the information system enforces a Discretionary Access Control (DAC) policy that: allows users to specify and control sharing by named individuals or groups of individuals, or by both; limits propagation of access rights; and includes or excludes access to the granularity of a single user.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; discretionary access control policy; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing discretionary access control policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-3/5

Determine if: (i) the organization defines the security-relevant information to which the information system prevents access except during secure, nonoperable system states; and (ii) the information system prevents access to organization-defined security-relevant information except during secure, nonoperable system states.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities].

Test: [SELECT FROM: Automated mechanisms preventing access to security-relevant information within the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-3/6

Determine if: (i) the organization defines the user and/or system information to be encrypted or stored off-line in a secure location; and (ii) the organization encrypts, or stores off-line in a secure location, organization-defined user and/or system information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing access enforcement functions].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4

Determine if: (i) the organization defines applicable policy for controlling the flow of information within the system and between interconnected systems; (ii) the organization defines approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy; and (iii) the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system baseline configuration; list of information flow authorizations; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/1

Determine if the information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/2

Determine if the information system enforces information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/3

Determine if: (i) the organization defines policy that allows or disallows information flows based on changing conditions or operational consideration; and (ii) the information system enforces dynamic information flow control based on policy that allows or disallows information flows based on changing conditions or operational considerations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/4

Determine if the information system prevents encrypted data from bypassing content-checking mechanisms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/5

Determine if: (i) the organization defines the limitations on the embedding of data types with other data types; and (ii) the information system enforces organization-defined limitations on the embedding of data types within other data types.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/6

Determine if the information system enforces information flow control on metadata.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/7

Determine if: (i) the organization defines the one-way information flows to be enforced by the information system; and (ii) the information system enforces organization-defined one-way information flows using hardware mechanisms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Hardware mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/8

Determine if: (i) the organization defines the security policy filters to be enforced by the information system; and (ii) the information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of security policy filters; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/9

Determine if: (i) the organization defines the security policy filters that the information system enforces for the use of human review; and (ii) the information system enforces the use of human review for the organization-defined security policy filters, when the system is not capable of making an information flow control decision.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for making information flow control decisions when the information system is not capable of doing so].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/10

Determine if: (i) the organization defines the security policy filters that privileged administrators have the capability to enable/disable; and (ii) the information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for enabling/disabling security policy filters].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/11

Determine if: (i) the organization defines the security policy filters that privileged administrators have the capability to configure; and (ii) the information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for configuring security policy filters].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/12

Determine if the information system, when transferring information between different security domains, identifies information flows by data type specification and usage.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/13

Determine if the information system, when transferring information between different security domains, decomposes information into policy-relevant subcomponents for submission to policy enforcement mechanisms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/14

Determine if: (i) the organization defines the security policy requirements for constraining data structure and content; and (ii) the information system, when transferring information between different security domains, implements policy filters that constrain data structure and content in accordance with organization-defined information security policy requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of policy filters; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/15

Determine if: (i) the information system, when transferring information between different security domains, detects unsanctioned information; and (ii) the information system prohibits the transfer of unsanctioned information in accordance with the security policy.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/16

Determine if the information system enforces security policies regarding information on interconnected systems.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-4/17

Determine if: (i) the information system uniquely identifies source domains for information transfer; (ii) the information system uniquely authenticates source domains for information transfer; (iii) the information system uniquely identifies destination domains for information transfer; (iv) the information system uniquely authenticates destination domains for information transfer; (v) the information system binds security attributes to information to facilitate information flow policy enforcement; (vi) the information system tracks problems associated with the security attribute binding; and (vii) the information system tracks problems associated with the information transfer.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; procedures addressing source and destination domain identification and authentication, and information transfer error handling; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-5

Determine if: (i) the organization separates duties of individuals as necessary, to prevent malevolent activity without collusion; (ii) the organization documents separation of duties; and (iii) the organization implements separation of duties through assigned information system access authorizations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing divisions of responsibility and separation of duties; information system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties].

Test: [SELECT FROM: Automated mechanisms implementing separation of duties policy].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-6

Determine if the organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of assigned access authorizations (user privileges); information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-6/1

Determine if: (i) the organization defines the security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized; and (ii) the organization explicitly authorizes access to the organization-defined security functions and security-relevant information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of security functions and security-relevant information for which access must be explicitly authorized; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-6/2

Determine if: (i) the organization defines the security functions or security-relevant information to which users of information system accounts, or roles, have access; and (ii) the organization requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other system functions; and (iii) the organization, if deemed feasible, audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated security functions or security-relevant information assigned to information system accounts or roles; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-6/3

Determine if: (i) the organization defines the privileged commands to which network access is to be authorized only for compelling operational needs; (ii) the organization authorizes network access to organization-defined privileged commands only for compelling operational needs; and (iii) the organization documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-6/4

Determine if the information system provides separate processing domains to enable finer-grained allocation of user privileges.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-6/5

Determine if the organization limits authorization to super user accounts on the information system to designated system administration personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated super user accounts; list of system administration personnel; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-6/6

Determine if the organization prohibits privileged access to the information system by non-organizational users.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated privileged accounts; list of non-organizational users; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-7

Determine if: (i) the organization defines the maximum number of consecutive invalid login attempts to the information system by a user and the time period in which the consecutive invalid attempts occur; (ii) the information system enforces the organization-defined limit of consecutive invalid login attempts by a user during the organization-defined time period; (iii) the organization defines action to be taken by the system when the maximum number of unsuccessful login attempts is exceeded as: lock out the account/node for a specified time period; lock out the account/note until released by an administrator; or delay the next login prompt according to organization-defined delay algorithm; (iv) the information system either automatically locks the account/node for the organization-defined time period, locks the account/node until released by an administrator, or delays next login prompt for the organization-defined delay period when the maximum number of unsuccessful login attempts is exceeded; and (v) the information system performs the organization-defined actions when the maximum number of unsuccessful login attempts is exceeded regardless of whether the login occurs via a local or network connection.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful login attempts; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for unsuccessful login attempts].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-7/1

Determine if the information system automatically locks the account/node until released by an administrator when the maximum number of unsuccessful login attempts is exceeded.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful login attempts; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for unsuccessful login attempts].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-7/2

Determine if: (i) the organization defines the number of consecutive, unsuccessful login attempts allowed for accessing a mobile device before the information system purges information from the device; and (ii) the information system provides protection for mobile devices accessed via login by purging information from such devices after the organization-defined number of consecutive, unsuccessful login attempts to the device is exceeded.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful login attempts on mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for unsuccessful login attempts].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-8

Determine if: (i) the organization approves the information system use notification message or banner to be displayed by the information system before granting access to the system; (ii) the information system displays the approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: users are accessing a U.S. Government information system; system usage may be monitored, recorded, and subject to audit; unauthorized use of the system is prohibited and subject to criminal and civil penalties; and use of the system indicates consent to monitoring and recording; and (iii) the information system retains the notification message or banner on the screen until the user takes explicit actions to log on to or further access the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system notification messages; information system configuration settings and associated documentation; information system audit records for user acceptance of notification message or banner; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for system use notification].

Determine if: (i) the information system (for publicly accessible systems) displays the system use information when appropriate, before granting further access; (ii) the information system (for publicly accessible systems) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii) the information system (for publicly accessible systems) includes in the notice given to public users of the information system, a description of the authorized uses of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system notification messages; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for system use notification].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-9

Determine if the information system, upon successful user logon (access), displays to the user the date and time of the last logon (access).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing previous logon notification; information system configuration settings and associated documentation; information system notification messages; information system design documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for previous logon notification].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-9/1

Determine if the information system, upon successful user logon/access, displays to the user the number of unsuccessful logon/access attempts since the last successful logon/access.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for previous logon notification].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-9/2

Determine if: (i) the organization defines the time period during which the number of successful logins/accesses and/or unsuccessful user login/access attempts occurs; and (ii) the information system notifies the user of the number of successful logins/accesses and/or unsuccessful login/access attempts that occur during the organization-defined time period.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for previous logon notification].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-9/3

Determine if: (i) the organization defines the time period for which security-related changes to the user's account occur; and (ii) the information system notifies the user of the organization-defined security-related changes to the user's account that occur during the organization-defined time period.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for previous logon notification].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-10

Determine if: (i) the organization defines the maximum number of concurrent sessions to be allowed for each system account; and (ii) the information system limits the number of concurrent sessions for each system account to the organization-defined number of sessions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing concurrent session control; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for concurrent session control].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-11

Determine if: (i) the organization defines the time period of user inactivity after which the information system initiates a session lock; (ii) the information system initiates a session lock after the organization-defined time period of inactivity or upon receiving a request from a user; (iii) the information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing session lock; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for session lock].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-11/1

Determine if the information system session lock mechanism, when activated on a device with a display screen, places a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing session lock; display screen with session lock activated; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system session lock mechanisms].

[Withdrawn: Incorporated into SC-10].

[Withdrawn: Incorporated into SC-10].

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

[Withdrawn: Incorporated into SC-10].

[Withdrawn: Incorporated into AC-2 and AU-6].

[Withdrawn: Incorporated into AC-2 and AU-6].

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

[Withdrawn: Incorporated into AC-2 and AU-6].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-14

Determine if: (i) the organization identifies specific user actions that can be performed on the information system without identification or authentication; and (ii) the organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing permitted actions without identification and authentication; information system configuration settings and associated documentation; security plan; list of information system actions that can be performed without identification and authentication; information system audit records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-14/1

Determine if the organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing permitted actions without identification and authentication; information system configuration settings and associated documentation; security plan; list of information system actions that can be performed without identification and authentication; information system audit records; other relevant documents or records].

[Withdrawn: Incorporated into MP-3].

[Withdrawn: Incorporated into MP-3].

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

[Withdrawn: Incorporated into MP-3].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-16

Determine if: (i) the organization defines the security attributes the information system binds to information: in storage; in process; and in transmission; and (ii) the information system supports and maintains the binding of the organization-defined security attributes to information in storage, in process, and in transmission.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing the binding of security attributes to information in storage, in process, and in transmission; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms supporting and maintaining the binding of security attributes to information in storage, in process, and in transmission].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-16/1

Determine if the information system dynamically reconfigures security attributes in accordance with an identified security policy as information is created and combined.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing the dynamic reconfiguration of security attributes; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the dynamic reconfiguration of security attributes to information].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-16/2

Determine if: (i) the organization identifies the entities authorized to change security attributes; and (ii) the information system allows authorized entities to change security attributes.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing the change of security attributes; information system design documentation; information system configuration settings and associated documentation; list of entities authorized to change security attributes; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for changing security attributes].

Test: [SELECT FROM: Automated mechanisms allowing the change of security attributes].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-16/3

Determine if the information system maintains the binding of security attributes to information with sufficient assurance that the information-attribute association can be used as the basis for automated policy actions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing the binding of security attributes to information; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms maintaining the binding of security attributes to information].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-16/4

Determine if: (i) the organization identifies users authorized to associate security attributes with information; and (ii) the information system allows authorized users to associate security attributes with information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing the association of security attributes to information; information system design documentation; information system configuration settings and associated documentation; list of users authorized to associate security attributes with information; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for associating security attributes with information].

Test: [SELECT FROM: Automated mechanisms allowing users to associate security attributes with information].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-16/5

Determine if: (i) the organization defines the set of special dissemination, handling, or distribution instructions to be used for each object output from the information system; (ii) the organization defines standard naming conventions for the security attributes to be displayed in human-readable form on each object output from the system to system output devices; and (iii) the information system displays security attributes in human-readable form on each object output from the system to system output devices to identify the organization-defined set of special dissemination, handling, or distribution instructions using organization-defined human readable, standard naming conventions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing display of security attributes in human-readable form; special instructions for the dissemination, handling, or distribution of object output from the information system; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: System output devices displaying security attributes in human-readable form on each object].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-17

Determine if: (i) the organization documents allowed methods of remote access to the information system; (ii) the organization establishes usage restrictions and implementation guidance for each allowed remote access method; (iii) the organization monitors for unauthorized remote access to the information system; (iv) the organization authorizes remote access to the information system prior to connection; and (v) the organization enforces requirements for remote connections to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with remote access authorization, monitoring, and control responsibilities].

Test: [SELECT FROM: Remote access methods for the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-17/1

Determine if the organization employs automated mechanisms to facilitate the monitoring and control of remote access methods.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for remote access].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-17/2

Determine if the organization uses cryptography to protect the confidentiality and integrity of remote access sessions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing cryptographic protections for remote access].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-17/3

Determine if: (i) the organization defines a limited number of managed access control points for remote access to the information system; and (ii) the information system routes all remote accesses through managed access control points.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; list of managed access control points; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for remote access].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-17/4

Determine if: (i) the organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs; and (ii) the organization documents the rationale for such access in the security plan for the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; security plan; information system audit records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-17/5

Determine if: (i) the organization defines the frequency of monitoring for unauthorized remote connections to the information system; (ii) the organization monitors for unauthorized remote connections to the information system in accordance with the organization-defined frequency; (iii) the organization defines the appropriate action(s) to be taken if an unauthorized connection is discovered; and (iv) the organization takes organization-defined appropriate action(s) if an unauthorized connection is discovered.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for monitoring remote connections to the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-17/6

Determine if the organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing or monitoring remote access to the information system; information system users with knowledge of information about remote access mechanisms].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-17/7

Determine if: (i) the organization defines the security functions and security-relevant information that can be accessed using remote sessions; (ii) the organization defines the additional security measures to be employed for remote sessions used to access organization-defined security functions and security-relevant information; (iii) the organization employs organization-defined additional security measures for remote sessions used to access organization-defined security functions and security-relevant information; and (iv) the organization audits remote sessions for accessing organization-defined security functions and security-relevant information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for remote access].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-17/8

Determine if: (i) the organization defines the networking protocols within the information system deemed to be nonsecure; and (ii) the organization disables the organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; security plan; list of networking protocols deemed to be non-secure; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms disabling networking protocols deemed to be non-secure].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-18

Determine if: (i) the organization establishes usage restrictions and implementation guidance for wireless access; (ii) the organization monitors for unauthorized wireless access to the information system; (iii) the organization authorizes wireless access to the information system prior to connection; and (iv) the organization enforces requirements for wireless connections to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); activities related to wireless monitoring, authorization, and enforcement; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for authorizing, monitoring or controlling the use of wireless technologies in the information system].

Test: [SELECT FROM: Wireless access usage and restrictions].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-18/1

Determine if the information system protects wireless access to the system using authentication and encryption.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for wireless access to the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-18/2

Determine if: (i) the organization defines the frequency of monitoring for unauthorized wireless connections to the information system, including scans for unauthorized wireless access points; (ii) the organization monitors for unauthorized wireless connections to the information system, including scanning for unauthorized wireless access points, in accordance with organization-defined frequency; (iii) the organization defines the appropriate action(s) to be taken if an unauthorized connection is discovered; and (iv) the organization takes appropriate action(s) if an unauthorized connection discovered.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless scanning reports; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for monitoring wireless connections to the information system].

Test: [SELECT FROM: Scanning procedures for detecting unauthorized wireless connections and access points].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-18/3

Determine if the organization disables, when not intended for use, wireless networking capabilities internally embedded within the information system components prior to issuance and deployment.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms controlling the disabling of wireless networking capabilities internally embedded within the information system components].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-18/4

Determine if the organization does not allow users to independently configure wireless networking capabilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms preventing independent configuration of wireless networking capabilities].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-18/5

Determine if the organization confines wireless communications to organization-controlled boundaries.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the access control policy for wireless access to the information system; Wireless connections and access points outside of organizational boundaries using scanning devices.].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-19

Determine if: (i) the organization establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices; (ii) the organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems; (iii) the organization monitors for unauthorized connections of mobile devices to organizational information systems; (iv) the organization enforces requirements for the connection of mobile devices to organizational information systems; (v) the organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; (vi) the organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures; (vii) the organization defines the inspection and preventative measures to be applied to mobile devices returning from locations that the organization deems to be of significant risk; and (viii) the organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel who use portable and mobile devices to access the information system].

Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-19/1

Determine if the organization restricts the use of writable, removable media in organizational information systems.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel who use portable and mobile devices to access the information system].

Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-19/2

Determine if the organization prohibits the use of personally owned, removable media in organizational information systems.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-19/3

Determine if the organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-19/4

Determine if: (i) the organization prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the appropriate authorizing official(s); (ii) the organization defines the security officials authorized to randomly review/inspect mobile devices and the information stored on those devices for classified information; and (iii) the organization enforces the following restrictions on individuals permitted to use mobile devices in facilities containing information systems processing, storing, or transmitting classified information: connection of unclassified mobile devices to classified information systems is prohibited; connection of unclassified mobile devices to unclassified information systems requires approval from the appropriate authorizing official(s); use of internal or external modems or wireless interfaces within the mobile devices is prohibited; and mobile devices and the information stored on those devices are subject to random reviews/inspections by organization-defined security officials, and if classified information is found, the incident handling policy is enforced.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; evidentiary documentation for random inspections of mobile devices; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for randomly reviewing/inspecting mobile devices; Organizational personnel using mobile devices in facilities containing information systems processing, storing, or transmitting classified information].

Test: [SELECT FROM: Test automated mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-20

Determine if: (i) the organization identifies individuals authorized to: access the information system from the external information systems; and process, store, and/or transmit organization-controlled information using the external information systems; and (ii) the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: access the information system from the external information systems; and process, store, and/or transmit organization-controlled information using the external information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing the use of external information systems; external information systems terms and conditions; list of types of applications accessible from external information systems; maximum security categorization for information processed, stored, or transmitted on external information systems; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-20/1

Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: can verify the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or has approved information system connection or processing agreements with the organizational entity hosting the external information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing the use of external information systems; security plan; information system connection or processing agreements; account management documents; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-20/2

Determine if the organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing the use of external information systems; security plan; information system configuration settings and associated documentation; information system connection or processing agreements; account management documents; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-21

Determine if: (i) the organization defines the circumstances where user discretion is required to facilitate information sharing; (ii) the organization facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for the organization-defined circumstances; (iii) the organization defines the information sharing circumstances and automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions; and (iv) the organization employs organization-defined circumstances and automated mechanisms or manual processes to assist users in making information sharing/collaboration decisions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); information system design documentation; information system configuration settings and associated documentation; list of users authorized to make information sharing/collaboration decisions; list of information sharing circumstances requiring user discretion; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for making information sharing/collaboration decisions].

Test: [SELECT FROM: Automated mechanisms or manual process implementing access authorizations supporting information sharing/user collaboration decisions].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-21/1

Determine if the information system employs automated mechanisms to enable authorized users to make information-sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); information system design documentation; information system configuration settings and associated documentation; system-generated list of users authorized to make information sharing/collaboration decisions; system-generated list of sharing partners and access authorizations; system-generated list of access restrictions regarding information to be shared; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access authorizations supporting information sharing/user collaboration decisions].

Template:Doc:NIST SP 800-53r3 Appendix F/AC-22

Determine if: (i) the organization designates individuals authorized to post information onto an organizational information system that is publicly accessible; (ii) the organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (iii) the organization reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system; (iv) the organization defines the frequency of reviews of the content on the publicly accessible organizational information system for nonpublic information; (v) the organization reviews the content on the publicly accessible organizational information system for nonpublic information in accordance with the organization-defined frequency; and (vi) the organization removes nonpublic information from the publicly accessible organizational information system, if discovered.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational information systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public websites; system audit logs; security awareness training records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for managing publicly accessible information posted on organizational information systems].