Doc:NIST SP 800-53Ar1 FPD Appendix F/Enhanced/SI

Template:Doc:NIST SP 800-53r3 Appendix F/SI-1

Determine if: (i) the organization develops and formally documents system and information integrity policy; (ii) the organization system and information integrity policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented system and information integrity policy to elements within the organization having associated system and information integrity roles and responsibilities; (iv) the organization develops and formally documents system and information integrity procedures; (v) the organization system and information integrity procedures facilitate implementation of the system and information integrity policy and associated system and information integrity controls; and (vi) the organization disseminates formal documented system and information integrity procedures to elements within the organization having associated system and information integrity roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and information integrity responsibilities].

Determine if: (i) the organization defines the frequency of system and information integrity policy reviews/updates; (ii) the organization reviews/updates system and information integrity policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of system and information integrity procedure reviews/updates; and (iv) the organization reviews/updates system and information integrity procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and information integrity responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-2

Determine if: (i) the organization identifies, reports, and corrects information system flaws; (ii) the organization tests software updates related to flaw remediation for effectiveness before installation; (iii) the organization tests software updates related to flaw remediation for potential side effects on organizational information systems before installation; and (iv) the organization incorporates flaw remediation into the organizational configuration management process.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws); test results from the installation of software to correct information system flaws; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with flaw remediation responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-2/1

Determine if: (i) the organization centrally manages the flaw remediation process; and (ii) the organization installs software updates automatically.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting centralized management of flaw remediation and automatic software updates; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms supporting centralized management of flaw remediation and automatic software updates].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-2/2

Determine if: (i) the organization defines the frequency of employing automated mechanisms to determine the state of information system components with regard to flaw remediation; and (ii) the organization employs automated mechanisms in accordance with the organization-defined frequency to determine the state of information system components with regard to flaw remediation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information system flaw remediation update status].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-2/3

Determine if: (i) the organization defines the benchmarks to which the organization's measurement of time elapsed between flaw identification and flaw remediation should be compared; (ii) the organization measures the time between flaw identification and flaw remediation; and (iii) the organization compares the time measured between flaw identification and flaw remediation with organization-defined benchmarks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting centralized management of flaw remediation and automatic software updates; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-2/4

Determine if: (i) the organization defines information system components for which automated patch management tools are to be employed to facilitate flaw remediation; and (ii) the organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms facilitating flaw remediation to information system components].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3

Determine if: (i) the organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code: transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or inserted through the exploitation of information system vulnerabilities; (ii) the organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or inserted through the exploitation of information system vulnerabilities; (iii) the organization updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with configuration management policy and procedures defined in CM-1; (iv) the organization defines the frequency of periodic scans of the information system by malicious code protection mechanisms; (v) the organization defines one or more of the following actions to be taken in response to malicious code detection: block malicious code; quarantine malicious code; and/or send alert to administrator; (vi) the organization configures malicious code protection mechanisms to: perform periodic scans of the information system in accordance with organization-defined frequency; perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and take organization-defined action(s) in response to malicious code detection; and (vii) the organization addresses the receipt of false positives during malicious code: detection and eradication; and the resulting potential impact on the availability of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with malicious code protection responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3/1

Determine if the organization centrally manages malicious code protection mechanisms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3/2

Determine if the information system automatically updates malicious code protection mechanisms, including signature definitions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3/3

Determine if the information system prevents non-privileged users from circumventing malicious code protection capabilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3/4

Determine if the information system updates malicious code protection mechanisms only when directed by a privileged user.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3/5

Determine if the organization does not allow users to introduce removable media into the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with malicious code protection responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-3/6

Determine if: (i) the organization defines the frequency of testing malicious code protection mechanisms; and (ii) the organization tests malicious code protection mechanisms, in accordance with organization-defined frequency, by introducing a known benign, non-spreading test case into the information system and subsequently verifying that both detection of the test case and associated incident reporting occur, as required.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4

Determine if: (i) the organization defines objectives for monitoring events on the information system; (ii) the organization monitors events on the information system in accordance with organization-defined objectives and detects information system attacks; (iii) the organization identifies unauthorized use of the information system; (iv) the organization deploys monitoring devices: strategically within the information system to collect organization-determined essential information; and at ad hoc locations within the system to track specific types of transactions of interest to the organization; (v) the organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and (vi) the organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/1

Determine if the organization interconnects and configures individual intrusion detection tools into a system-wide intrusion detection system using common protocols.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Information system-wide intrusion detection capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/2

Determine if the organization employs automated tools to support near real-time analysis of events.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols documentation; other relevant documents or records].

Test: [SELECT FROM: Automated tools supporting near real-time event analysis].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/3

Determine if the organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Automated tools supporting the integration of intrusion detection tools and access/flow control mechanisms].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/4

Determine if the information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Automated tools supporting the integration of intrusion detection tools and access/flow control mechanisms].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/5

Determine if: (i) the organization defines indicators of compromise or potential compromise to the security of the information system; and (ii) the information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occurs.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; security plan; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system monitoring real-time alert capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/6

Determine if the information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Information system-wide intrusion detection and prevention capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/7

Determine if: (i) the organization defines incident response personnel (identified by name and/or by role) to be notified of suspicious events; (ii) the organization defines least-disruptive actions to be taken by the information system to terminate suspicious events; (iii) the information system notifies organization-defined incident response personnel of suspicious events; and (iv) the information system takes organization-defined least-disruptive actions to terminate suspicious events.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols documentation; other relevant documents or records].

Test: [SELECT FROM: Information system notification capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/8

Determine if the organization protects information obtained from intrusion-monitoring tools from: unauthorized access; modification; and deletion.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/9

Determine if: (i) the organization defines the time period for testing/exercising intrusion-monitoring tools; and (ii) the organization tests/exercises intrusion-monitoring tools in accordance with organization-defined time period.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; documentation providing evidence of testing intrusion monitoring tools; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/10

Determine if the organization makes provisions so that encrypted traffic is visible to information system monitoring tools.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/11

Determine if the organization to discover anomalies analyzes outbound communications traffic at: the external boundary of the system (i.e., system perimeter); and as deemed necessary, at selected interior points within the system (e.g., subnets, subsystems).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system monitoring logs or records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/12

Determine if: (i) the organization defines inappropriate or unusual activities with security implications that should trigger alerts to security personnel; and (ii) the organization employs automated mechanisms to alert security personnel of the organization-defined inappropriate or unusual activities with security implications.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; list of inappropriate or unusual activities that trigger alerts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing alerts to security personnel for inappropriate or unusual activities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/13

Determine if: (i) the organization analyzes communications traffic/event patterns for the information system; (ii) the organization develops profiles representing common traffic patterns and/or events; (iii) the organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false positives and false negatives; and (iv) the organization uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and false negatives to their respective organization-defined measures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; list of common traffic patterns and/or events; information system protocols documentation; list of acceptable thresholds for false positives and false negatives; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/14

Determine if the organization employs a wireless intrusion detection system to: identify rogue wireless devices to the information system; detect attack attempts to the information system; and detect potential compromises/breaches to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing wireless communications intrusion detection capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/15

Determine if the organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing wireless communications intrusion detection capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/16

Determine if the organization correlates information from monitoring tools employed throughout the information system to achieve organization-wide situational awareness.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; event correlation logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-4/17

Determine if the organization correlates results from monitoring physical, cyber, and supply chain activities to achieve integrated situational awareness.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; event correlation logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-5

Determine if: (i) the organization receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis; (ii) the organization generates internal security alerts, advisories, and directives; (iii) the organization defines personnel (identified by name and/or by role) who should receive security alerts, advisories, and directives; (iv) the organization disseminates security alerts, advisories, and directives to organization-identified personnel; and (v) the organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security alerts and advisories; records of security alerts and advisories; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security alert and advisory responsibilities; organizational personnel implementing, operating, maintaining, administering, and using the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-5/1

Determine if the organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security alerts and advisories; information system design documentation; information system configuration settings and associated documentation; automated mechanisms supporting the distribution of security alert and advisory information; records of security alerts and advisories; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the distribution of security alert and advisory information].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-6

Determine if: (i) the organization defines the appropriate conditions, including the system transitional states if applicable, for verifying the correct operation of security functions; (ii) the organization defines for periodic security function verification, the frequency of the verifications; (iii) the organization defines information system responses and alternative action(s) to anomalies discovered during security function verification; (iv) the information system verifies the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification); and (v) the information system responds to security function anomalies in accordance with organization-defined responses and alternative action(s).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security function verification; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Security function verification capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-6/1

Determine if the information system provides notification of failed automated security tests.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security function verification; information system design documentation; security plan; information system configuration settings and associated documentation; automated security test results; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing alerts and/or notifications for failed automated security tests].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-6/2

Determine if the information system provides automated support for the management of distributed security testing.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security function verification; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms supporting the management of distributed security function testing].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-6/3

Determine if: (i) the organization identifies organizational officials with information security responsibilities designated to receive the results of security function verification; and (ii) the organization reports the results of security function verification to designated organizational officials with information security responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security function verification; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security functionality verification responsibilities; organizational personnel with information security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-7

Determine if the information system detects unauthorized changes to software and information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and applications documentation; other relevant documents or records].

Test: [SELECT FROM: Software integrity protection and verification capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-7/1

Determine if: (i) the organization defines the frequency of integrity scans to be performed on the information system; and (ii) the organization reassesses the integrity of software and information by performing integrity scans of the information system in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; security plan; information system configuration settings and associated documentation; integrity verification tools and applications documentation; records of integrity scans; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-7/2

Determine if the organization employs automated tools that provide notification to designated individuals upon discovering discrepancies during integrity verification.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; information system configuration settings and associated documentation; integrity verification tools and applications documentation; records of integrity scans; automated tools supporting alerts and notifications for integrity discrepancies; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-7/3

Determine if the organization employs centrally managed integrity verification tools.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; information system configuration settings and associated documentation; integrity verification tools and applications documentation; records of integrity scans; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-7/4

Determine if: (i) the organization defines information system components that require use of tamper-evident packaging; (ii) the organization defines the conditions (i.e., transportation from vendor to operational site, during operation, both) under which tamper-evident packaging must be used for organization-defined information system components; and (iii) the organization requires use of tamper-evident packaging for organization-defined information system components during organization-defined conditions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; information system component packaging; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-8

Determine if: (i) the organization employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; (ii) the organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; and (iii) the organization updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures defined in CM-1.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing spam protection; information system design documentation; spam protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with spam protection responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing spam detection and handling capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-8/1

Determine if the organization centrally manages spam protection mechanisms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing spam protection; information system design documentation; spam protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-8/2

Determine if the information system automatically updates spam protection mechanisms (including signature definitions).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing spam protection; information system design documentation; spam protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-9

Determine if the organization restricts the capability to input information to the information system to authorized personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information input restrictions; access control policy and procedures; separation of duties policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing restrictions on individual authorizations to input information into the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-10

Determine if the information system checks the validity of information inputs.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information validity; access control policy and procedures; separation of duties policy and procedures; documentation for automated tools and applications to verify validity of information; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system capability for checking validity of information inputs].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-11

Determine if: (i) the information system identifies potentially security-relevant error conditions; (ii) the organization defines sensitive or potentially harmful information that should not be contained in error logs and administrative messages; (iii) the information system generates error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited by adversaries; and (iv) the information system reveals error messages only to authorized personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system error handling; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system error handling capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-12

Determine if: (i) the organization handles both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements; and (ii) the organization retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system output handling and retention; media protection policy and procedures; information retention records, other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information output handling and retention responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-13

Determine if: (i) the organization defines information system components for which mean time to failure rates should be considered to protect the information system from harm; (ii) the organization protects the information system from harm by considering mean time to failure rates for organization-defined information system components in specific environments of operation; (iii) the organization provides substitute information system components, when needed; and (iv) the organization provides a mechanism to exchange active and standby roles of the components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with predictable failure prevention responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-13/1

Determine if: (i) the organization defines the maximum fraction or percentage of mean time to failure in order to transfer the responsibilities of an information system component that is out of service to a substitute component; and (ii) the organization takes the information system component out of service by transferring component responsibilities to a substitute component no later than the organization-defined fraction or percentage of mean time to failure.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organization personnel with predictable failure prevention responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-13/2

Determine if: (i) the organization defines the time period that a process is allowed to execute without supervision; and (ii) the organization does not allow a process to execute without supervision for more than the organization-defined time period.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system predictable failure prevention capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-13/3

Determine if: (i) the organization defines the minimum frequency with which the organization manually initiates a transfer between active and standby information system components if the mean time to failure exceeds the organization-defined time period; (ii) the organization defines the time period that the mean time to failure must exceed before the organization manually initiates a transfer between active and standby information system components; and (iii) the organization manually initiates a transfer between active and standby information system components at least once per the organization-defined frequency if the mean time to failure exceeds the organization-defined time period.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: SOrganizational personnel with predictable failure prevention responsibilities].

Test: [SELECT FROM: Information system predictable failure prevention capability].

Template:Doc:NIST SP 800-53r3 Appendix F/SI-13/4

Determine if: (i) the organization defines the time period for a standby information system component to successfully and transparently assume the role of an information system component that has failed; (ii) the organization defines the organization-defined alarm when an information system component failure is detected; and (iii) the organization, if an information system component failure is detected: ensures that the standby information system component successfully and transparently assumes its role within the organization-defined time period; and activates the organization-defined alarm and/or automatically shuts down the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; list of actions to be taken once information system component failure is detected; other relevant documents or records].

Test: [SELECT FROM: Information system predictable failure prevention capability].