Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/AC/Low

From FISMApedia
Jump to: navigation, search

NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls


ACCESS CONTROL

AC-1 ACCESS CONTROL POLICY AND PROCEDURES


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-1 Access Control Policy and Procedures P1 LOW AC-1 MOD AC-1 HIGH AC-1


SECURITY CONTROL

AC-1 ACCESS CONTROL POLICY AND PROCEDURES

Control: The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:
a. A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.
Supplemental Guidance: This control is intended to produce the policy and procedures that are required for the effective implementation of selected security controls and control enhancements in the access control family. The policy and procedures are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The access control policy can be included as part of the general information security policy for the organization. Access control procedures can be developed for the security program in general and for a particular information system, when required. The organizational risk management strategy is a key factor in the development of the access control policy. Related control: PM-9.
Control Enhancements: None.


ASSESSMENT PROCEDURE
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
AC-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents access control policy;
(ii) the organization access control policy addresses:
(iii) the organization disseminates formal documented access control policy to elements within the organization having associated access control roles and responsibilities;
(iv) the organization develops and formally documents access control procedures;
(v) the organization access control procedures facilitate implementation of the access control policy and associated access controls; and
(vi) the organization disseminates formal documented access control procedures to elements within the organization having associated access control roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with access control responsibilities].
AC-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of access control policy reviews/updates;
(ii) the organization reviews/updates access control policy in accordance with organization-defined frequency;
(iii) the organization defines the frequency of access control procedure reviews/updates; and
(iv) the organization reviews/updates access control procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with access control responsibilities].


AC-2 ACCOUNT MANAGEMENT


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-2 Account Management P1 LOW AC-2 MOD AC-2 (1) (2) (3) (4) HIGH AC-2 (1) (2) (3) (4)


SECURITY CONTROL

AC-2 ACCOUNT MANAGEMENT

Control: The organization manages information system accounts, including:
a. Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary);
b. Establishing conditions for group membership;
c. Identifying authorized users of the information system and specifying access privileges;
d. Requiring appropriate approvals for requests to establish accounts;
e. Establishing, activating, modifying, disabling, and removing accounts;
f. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts;
g. Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;
h. Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users;
i. Granting access to the system based on: (i) a valid access authorization; (ii) intended system usage; and (iii) other attributes as required by the organization or associated missions/business functions; and
j. Reviewing accounts [Assignment: organization-defined frequency].
Supplemental Guidance: The identification of authorized users of the information system and the specification of access privileges is consistent with the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by organizational officials responsible for approving such accounts and privileged access. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-4, IA-5, CM-5, CM-6, MA-3, MA-4, MA-5, SA-7, SC-13, SI-9.
Control Enhancements:


ASSESSMENT PROCEDURE
AC-2 ACCOUNT MANAGEMENT
AC-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization manages information system accounts, including;
  • identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary);
  • establishing conditions for group membership;
  • identifying authorized users of the information system and specifying access privileges;
  • requiring appropriate approvals for requests to establish accounts;
  • establishing, activating, modifying, disabling, and removing accounts;
  • specifically authorizing and monitoring the use of guest/anonymous and temporary accounts;
  • notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;
  • deactivating: i) temporary accounts that are no longer required; and ii) accounts of terminated or transferred users; and
  • granting access to the system based on:
  • a valid access authorization;
  • intended system usage; and
  • other attributes as required by the organization or associated missions/business functions; and
(ii) the organization defines the frequency of information system account reviews; and
(iii) the organization reviews information system accounts in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing account management; security plan; list of active system accounts along with the name of the individual associated with each account; list of guest/anonymous and temporary accounts along with the name of the individual associated with each account and the date the account expires; lists of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; system-generated records with user IDs and last login date; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with account management responsibilities].



AC-3 ACCESS ENFORCEMENT


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-3 Access Enforcement P1 LOW AC-3 MOD AC-3 HIGH AC-3


SECURITY CONTROL

AC-3 ACCESS ENFORCEMENT

Control: The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.
Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to enforcing authorized access at the information-system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of an audited, explicit override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is FIPS 140-2 (as amended) compliant. For classified information, the cryptography used is largely dependent on the classification level of the information and the clearances of the individuals having access to the information. Mechanisms implemented by AC-3 are configured to enforce authorizations determined by other security controls. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, MA-3, MA-4, MA-5, SA-7, SC-13, SI-9.
Control Enhancements:


ASSESSMENT PROCEDURE
AC-3 ACCESS ENFORCEMENT
AC-3.1 ASSESSMENT OBJECTIVE:
Determine if the information system enforces approved authorizations for logical access to the system in accordance with applicable policy.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information system configuration settings and associated documentation; list of approved authorizations (user privileges); information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing access enforcement policy].


AC-7 UNSUCCESSFUL LOGIN ATTEMPTS


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-7 Unsuccessful Login Attempts P2 LOW AC-7 MOD AC-7 HIGH AC-7


SECURITY CONTROL

AC-7 UNSUCCESSFUL LOGIN ATTEMPTS

Control: The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid login attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next login prompt according to [Assignment: organization-defined delay algorithm when the maximum number of unsuccessful attempts is exceeded. The control applies regardless of whether the login occurs via a local or network connection.
Supplemental Guidance: Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization. If a delay algorithm is selected, the organization may chose to employ different algorithms for different information system components based on the capabilities of those components. Response to unsuccessful login attempts may be implemented at both the operating system and the application levels. This control applies to all accesses other than those accesses explicitly identified and documented by the organization in AC-14.
Control Enhancements:


ASSESSMENT PROCEDURE
AC-7 UNSUCCESSFUL LOGIN ATTEMPTS
AC-7.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the maximum number of consecutive invalid login attempts to the information system by a user and the time period in which the consecutive invalid attempts occur;
(ii) the information system enforces the organization-defined limit of consecutive invalid login attempts by a user during the organization-defined time period;
(iii) the organization defines action to be taken by the system when the maximum number of unsuccessful login attempts is exceeded as:
  • lock out the account/node for a specified time period;
  • lock out the account/note until released by an administrator; or
  • delay the next login prompt according to organization-defined delay algorithm;
(iv) the information system either automatically locks the account/node for the organization-defined time period, locks the account/node until released by an administrator, or delays next login prompt for the organization-defined delay period when the maximum number of unsuccessful login attempts is exceeded; and
(v) the information system performs the organization-defined actions when the maximum number of unsuccessful login attempts is exceeded regardless of whether the login occurs via a local or network connection.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful login attempts; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for unsuccessful login attempts].


AC-8 SYSTEM USE NOTIFICATION


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-8 System Use Notification P1 LOW AC-8 MOD AC-8 HIGH AC-8


SECURITY CONTROL

AC-8 SYSTEM USE NOTIFICATION

Control: The information system:
a. Displays an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems: (i) displays the system use information when appropriate, before granting further access; (ii) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii) includes in the notice given to public users of the information system, a description of the authorized uses of the system.
Supplemental Guidance: System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is intended only for information system access that includes an interactive login interface with a human user and is not intended to require notification when an interactive interface does not exist.
Control Enhancements: None.


ASSESSMENT PROCEDURE
AC-8 SYSTEM USE NOTIFICATION
AC-8.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization approves the information system use notification message or banner to be displayed by the information system before granting access to the system;
(ii) the information system displays the approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
  • users are accessing a U.S. Government information system;
  • system usage may be monitored, recorded, and subject to audit;
  • unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
  • use of the system indicates consent to monitoring and recording; and
(iii) the information system retains the notification message or banner on the screen until the user takes explicit actions to log on to or further access the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system notification messages; information system configuration settings and associated documentation; information system audit records for user acceptance of notification message or banner; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing the access control policy for system use notification].
AC-8.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the information system (for publicly accessible systems) displays the system use information when appropriate, before granting further access;
(ii) the information system (for publicly accessible systems) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
(iii) the information system (for publicly accessible systems) includes in the notice given to public users of the information system, a description of the authorized uses of the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system notification messages; information system configuration settings and associated documentation; other relevant documents or records].


Test: [SELECT FROM: Automated mechanisms implementing the access control policy for system use notification].


AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-14 Permitted Actions without Identification or Authentication P1 LOW AC-14 MOD AC-14 (1) HIGH AC-14 (1)


SECURITY CONTROL

AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION

Control: The organization:
a. Identifies specific user actions that can be performed on the information system without identification or authentication; and
b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.
Supplemental Guidance: This control is intended for those specific instances where an organization determines that no identification and authentication is required; it is not, however, mandating that such instances exist in given information system. The organization may allow a limited number of user actions without identification and authentication (e.g., when individuals access public websites or other publicly accessible federal information systems such as http://www.usa.gov). Organizations also identify any actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypass may be, for example, via a software-readable physical switch that commands bypass of the login functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not being repeated, but rather to situations where identification and/or authentication have not yet occurred. Related control: CP-2, IA-2.
Control Enhancements:


ASSESSMENT PROCEDURE
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
AC-14.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies specific user actions that can be performed on the information system without identification or authentication; and
(ii) the organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing permitted actions without identification and authentication; information system configuration settings and associated documentation; security plan; list of information system actions that can be performed without identification and authentication; information system audit records; other relevant documents or records].



AC-17 REMOTE ACCESS


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-17 Remote Access P1 LOW AC-17 MOD AC-17 (1) (2) (3) (4) (5) (7) (8) HIGH AC-17 (1) (2) (3) (4) (5) (7) (8)


SECURITY CONTROL

AC-17 REMOTE ACCESS

Control: The organization:
a. Documents allowed methods of remote access to the information system;
b. Establishes usage restrictions and implementation guidance for each allowed remote access method;
c. Monitors for unauthorized remote access to the information system;
d. Authorizes remote access to the information system prior to connection; and
e. Enforces requirements for remote connections to the information system.
Supplemental Guidance: This control requires explicit authorization prior to allowing remote access to an information system without specifying a specific format for that authorization. For example, while the organization may deem it appropriate to use a system interconnection agreement to authorize a given remote access, such agreements are not required by this control. Remote access is any access to an organizational information system by a user (or process acting on behalf of a user) communicating through an external network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless (see AC-18 for wireless access). A virtual private network when adequately provisioned with appropriate security controls, is considered an internal network (i.e., the organization establishes a network connection between organization-controlled endpoints in a manner that does not require the organization to depend on external networks to protect the confidentiality or integrity of information transmitted across the network). Remote access controls are applicable to information systems other than public web servers or systems specifically designed for public access. Enforcing access restrictions associated with remote connections is accomplished by control AC-3. Related controls: AC-3, AC-18, AC-20, IA-2, IA-3, IA-8, MA-4.
Control Enhancements:


ASSESSMENT PROCEDURE
AC-17 REMOTE ACCESS
AC-17.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization documents allowed methods of remote access to the information system;
(ii) the organization establishes usage restrictions and implementation guidance for each allowed remote access method;
(iii) the organization monitors for unauthorized remote access to the information system;
(iv) the organization authorizes remote access to the information system prior to connection; and
(v) the organization enforces requirements for remote connections to the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with remote access authorization, monitoring, and control responsibilities].
Test: [SELECT FROM: Remote access methods for the information system].


AC-18 WIRELESS ACCESS


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-18 Wireless Access P1 LOW AC-18 MOD AC-18 (1) HIGH AC-18 (1) (2) (4) (5)


SECURITY CONTROL

AC-18 WIRELESS ACCESS

Control: The organization:
a. Establishes usage restrictions and implementation guidance for wireless access;
b. Monitors for unauthorized wireless access to the information system;
c. Authorizes wireless access to the information system prior to connection; and
d. Enforces requirements for wireless connections to the information system.
Supplemental Guidance: Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. In certain situations, wireless signals may radiate beyond the confines and control of organization-controlled facilities. Related controls: AC-3, IA-2, IA-3, IA-8.
Control Enhancements:


ASSESSMENT PROCEDURE
AC-18 WIRELESS ACCESS
AC-18.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes usage restrictions and implementation guidance for wireless access;
(ii) the organization monitors for unauthorized wireless access to the information system;
(iii) the organization authorizes wireless access to the information system prior to connection; and
(iv) the organization enforces requirements for wireless connections to the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); activities related to wireless monitoring, authorization, and enforcement; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for authorizing, monitoring or controlling the use of wireless technologies in the information system].
Test: [SELECT FROM: Wireless access usage and restrictions].


AC-19 ACCESS CONTROL FOR MOBILE DEVICES


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-19 Access Control for Mobile Devices P1 LOW AC-19 MOD AC-19 (1) (2) (3) HIGH AC-19 (1) (2) (3)


SECURITY CONTROL

AC-19 ACCESS CONTROL FOR MOBILE DEVICES

Control: The organization:
a. Establishes usage restrictions and implementation guidance for organization-controlled mobile devices;
b. Authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems;
c. Monitors for unauthorized connections of mobile devices to organizational information systems;
d. Enforces requirements for the connection of mobile devices to organizational information systems;
e. Disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction;
f. Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures; and
g. Applies [Assignment: organization-defined inspection and preventative measures] to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.
Supplemental Guidance: Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Examples of information system functionality that provide the capability for automatic execution of code are AutoRun and AutoPlay.
Organizational policies and procedures for mobile devices used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific measures to the device after travel is completed. Specially configured mobile devices include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified measures applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. Related controls: MP-4, MP-5.
Control Enhancements:


ASSESSMENT PROCEDURE
AC-19 ACCESS CONTROL FOR MOBILE DEVICES
AC-19.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices;
(ii) the organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems;
(iii) the organization monitors for unauthorized connections of mobile devices to organizational information systems;
(iv) the organization enforces requirements for the connection of mobile devices to organizational information systems;
(v) the organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction;
(vi) the organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures;
(vii) the organization defines the inspection and preventative measures to be applied to mobile devices returning from locations that the organization deems to be of significant risk; and
(viii) the organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing access control for portable and mobile devices; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel who use portable and mobile devices to access the information system].
Test: [SELECT FROM: Automated mechanisms implementing access control policy for portable and mobile devices].


AC-20 USE OF EXTERNAL INFORMATION SYSTEMS


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-20 Use of External Information Systems P1 LOW AC-20 MOD AC-20 (1) (2) HIGH AC-20 (1) (2)


SECURITY CONTROL

AC-20 USE OF EXTERNAL INFORMATION SYSTEMS

Control: The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from the external information systems; and
b. Process, store, and/or transmit organization-controlled information using the external information systems.
Supplemental Guidance: External information systems are information systems or components of information systems that are outside of the authorization boundary established by the organization and for which the organization typically has no direct supervision and authority over the application of required security controls or the assessment of security control effectiveness. External information systems include, but are not limited to: (i) personally owned information systems (e.g., computers, cellular telephones, or personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, convention centers, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization. For some external systems, in particular those systems operated by other federal agencies, including organizations subordinate to those agencies, the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. In effect, the information systems of these organizations would not be considered external. These situations typically occur when, for example, there is some pre-existing sharing or trust agreement (either implicit or explicit) established between federal agencies and/or organizations subordinate to those agencies, or such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include organizational personnel, contractors, or any other individuals with authorized access to the organizational information system and over which the organization has the authority to impose rules of behavior with regard to system access. The restrictions that an organization imposes on authorized individuals need not be uniform, as those restrictions are likely to vary depending upon the trust relationships between organizations. Thus, an organization might impose more stringent security restrictions on a contractor than on a state, local, or tribal government.
This control does not apply to the use of external information systems to access public interfaces to organizational information systems and information (e.g., individuals accessing federal information through http://www.usa.gov). The organization establishes terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. The terms and conditions address as a minimum; (i) the types of applications that can be accessed on the organizational information system from the external information system; and (ii) the maximum security categorization of information that can be processed, stored, and transmitted on the external information system. This control defines access authorizations enforced by AC-3, rules of behavior requirements enforced by PL-4, and session establishment rules enforced by AC-17. Related controls: AC-3, AC-17, PL-4.
Control Enhancements:


ASSESSMENT PROCEDURE
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS
AC-20.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies individuals authorized to:
  • access the information system from the external information systems; and
  • process, store, and/or transmit organization-controlled information using the external information systems; and
(ii) the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
  • access the information system from the external information systems; and
  • process, store, and/or transmit organization-controlled information using the external information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing the use of external information systems; external information systems terms and conditions; list of types of applications accessible from external information systems; maximum security categorization for information processed, stored, or transmitted on external information systems; information system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems].



AC-22 PUBLICLY ACCESSIBLE CONTENT


FAMILY: ACCESS CONTROL CLASS: TECHNICAL


Security Control Baseline:
AC-22 Publicly Accessible Content P2 LOW AC-22 MOD AC-22 HIGH AC-22


SECURITY CONTROL

AC-22 PUBLICLY ACCESSIBLE CONTENT

Control: The organization:
a. Designates individuals authorized to post information onto an organizational information system that is publicly accessible;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system;
d. Reviews the content on the publicly accessible organizational information system for nonpublic information [Assignment: organization-defined frequency]; and
e. Removes nonpublic information from the publicly accessible organizational information system, if discovered.
Supplemental Guidance: Nonpublic information is any information for which the general public is not authorized access in accordance with federal laws, Executive Orders, directives, policies, regulations, standards, or guidance. Information protected under the Privacy Act and vendor proprietary information are examples of nonpublic information. This control addresses posting information on an organizational information system that is accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by appropriate organizational policy. Related controls: AC-3, AU-13.
Control Enhancements: None.


ASSESSMENT PROCEDURE
AC-22 PUBLICLY ACCESSIBLE CONTENT
AC-22.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization designates individuals authorized to post information onto an organizational information system that is publicly accessible;
(ii) the organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
(iii) the organization reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system;
(iv) the organization defines the frequency of reviews of the content on the publicly accessible organizational information system for nonpublic information;
(v) the organization reviews the content on the publicly accessible organizational information system for nonpublic information in accordance with the organization-defined frequency; and
(vi) the organization removes nonpublic information from the publicly accessible organizational information system, if discovered.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational information systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public Web sites; system audit logs; security awareness training records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for managing publicly accessible information posted on organizational information systems].



Source