Doc:NIST SP 800-53Ar1 FPD Appendix F/Enhanced/SI

SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES

Control: The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:

a. A formal, documented system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls.

Supplemental Guidance: This control is intended to produce the policy and procedures that are required for the effective implementation of selected security controls and control enhancements in the system and information integrity family. The policy and procedures are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The system and information integrity policy can be included as part of the general information security policy for the organization. System and information integrity procedures can be developed for the security program in general and for a particular information system, when required. The organizational risk management strategy is a key factor in the development of the system and information integrity policy. Related control: PM-9.

Control Enhancements: None.

Determine if: (i) the organization develops and formally documents system and information integrity policy; (ii) the organization system and information integrity policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented system and information integrity policy to elements within the organization having associated system and information integrity roles and responsibilities; (iv) the organization develops and formally documents system and information integrity procedures; (v) the organization system and information integrity procedures facilitate implementation of the system and information integrity policy and associated system and information integrity controls; and (vi) the organization disseminates formal documented system and information integrity procedures to elements within the organization having associated system and information integrity roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and information integrity responsibilities].

Determine if: (i) the organization defines the frequency of system and information integrity policy reviews/updates; (ii) the organization reviews/updates system and information integrity policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of system and information integrity procedure reviews/updates; and (iv) the organization reviews/updates system and information integrity procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and information integrity responsibilities].

SI-2 FLAW REMEDIATION

Control: The organization:

a. Identifies, reports, and corrects information system flaws;

b. Tests software updates related to flaw remediation for effectiveness and potential side effects on organizational information systems before installation; and

c. Incorporates flaw remediation into the organizational configuration management process.

Supplemental Guidance: The organization identifies information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) and reports this information to designated organizational officials with information security responsibilities (e.g., senior information security officers, information system security managers, information systems security officers). The organization (including any contractor to the organization) promptly installs security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, are also addressed expeditiously. Organizations are encouraged to use resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By requiring that flaw remediation be incorporated into the organizational configuration management process, it is the intent of this control that required/anticipated remediation actions are tracked and verified. An example of expected flaw remediation that would be so verified is whether the procedures contained in US-CERT guidance and Information Assurance Vulnerability Alerts have been accomplished. Related controls: CA-2, CA-7, CM-3, MA-2, IR-4, RA-5, SA-11, SI-11.

Control Enhancements:

Determine if: (i) the organization identifies, reports, and corrects information system flaws; (ii) the organization tests software updates related to flaw remediation for effectiveness before installation; (iii) the organization tests software updates related to flaw remediation for potential side effects on organizational information systems before installation; and (iv) the organization incorporates flaw remediation into the organizational configuration management process.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws); test results from the installation of software to correct information system flaws; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with flaw remediation responsibilities].

(1) The organization centrally manages the flaw remediation process and installs software updates automatically.

Enhancement Supplemental Guidance: Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.

Determine if: (i) the organization centrally manages the flaw remediation process; and (ii) the organization installs software updates automatically.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting centralized management of flaw remediation and automatic software updates; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms supporting centralized management of flaw remediation and automatic software updates].

(2) The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.

Determine if: (i) the organization defines the frequency of employing automated mechanisms to determine the state of information system components with regard to flaw remediation; and (ii) the organization employs automated mechanisms in accordance with the organization-defined frequency to determine the state of information system components with regard to flaw remediation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information system flaw remediation update status].

(3) The organization measures the time between flaw identification and flaw remediation, comparing with [Assignment: organization-defined benchmarks].

Determine if: (i) the organization defines the benchmarks to which the organization's measurement of time elapsed between flaw identification and flaw remediation should be compared; (ii) the organization measures the time between flaw identification and flaw remediation; and (iii) the organization compares the time measured between flaw identification and flaw remediation with organization-defined benchmarks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting centralized management of flaw remediation and automatic software updates; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; other relevant documents or records].

(4) The organization employs automated patch management tools to facilitate flaw remediation to [Assignment: organization-defined information system components].

Determine if: (i) the organization defines information system components for which automated patch management tools are to be employed to facilitate flaw remediation; and (ii) the organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation; information system design documentation; information system configuration settings and associated documentation; list of information system flaws; list of recent security flaw remediation actions performed on the information system; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms facilitating flaw remediation to information system components].

SI-3 MALICIOUS CODE PROTECTION

Control: The organization:

a. Employs malicious code protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code:

- Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or

- Inserted through the exploitation of information system vulnerabilities;

b. Updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures;

c. Configures malicious code protection mechanisms to:

- Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and

- [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action in response to malicious code detection; and

d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, and remote-access servers. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode) or contained within a compressed file. Removable media includes, for example, USB devices, diskettes, or compact disks. A variety of technologies and methods exist to limit or eliminate the effects of malicious code attacks. Pervasive configuration management and strong software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions and business functions. Traditional malicious code protection mechanisms are not built to detect such code. In these situations, organizations must rely instead on other risk mitigation measures to include, for example, secure coding practices, trusted procurement processes, configuration management and control, and monitoring practices to help ensure that software does not perform functions other than those intended. Related controls: SA-4, SA-8, SA-12, SA-13, SI-4, SI-7.

Control Enhancements:

Determine if: (i) the organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code: transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or inserted through the exploitation of information system vulnerabilities; (ii) the organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or inserted through the exploitation of information system vulnerabilities; (iii) the organization updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with configuration management policy and procedures defined in CM-1; (iv) the organization defines the frequency of periodic scans of the information system by malicious code protection mechanisms; (v) the organization defines one or more of the following actions to be taken in response to malicious code detection: block malicious code; quarantine malicious code; and/or send alert to administrator; (vi) the organization configures malicious code protection mechanisms to: perform periodic scans of the information system in accordance with organization-defined frequency; perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and take organization-defined action(s) in response to malicious code detection; and (vii) the organization addresses the receipt of false positives during malicious code: detection and eradication; and the resulting potential impact on the availability of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with malicious code protection responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].

(1) The organization centrally manages malicious code protection mechanisms.

Determine if the organization centrally manages malicious code protection mechanisms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

(2) The information system automatically updates malicious code protection mechanisms (including signature definitions).

Determine if the information system automatically updates malicious code protection mechanisms, including signature definitions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

(3) The information system prevents non-privileged users from circumventing malicious code protection capabilities.

Determine if the information system prevents non-privileged users from circumventing malicious code protection capabilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].

(4) The information system updates malicious code protection mechanisms only when directed by a privileged user.

Determine if the information system updates malicious code protection mechanisms only when directed by a privileged user.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].

(5) The organization does not allow users to introduce removable media into the information system.

Determine if the organization does not allow users to introduce removable media into the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with malicious code protection responsibilities].

(6) The organization tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system and subsequently verifying that both detection of the test case and associated incident reporting occur, as required.

Determine if: (i) the organization defines the frequency of testing malicious code protection mechanisms; and (ii) the organization tests malicious code protection mechanisms, in accordance with organization-defined frequency, by introducing a known benign, non-spreading test case into the information system and subsequently verifying that both detection of the test case and associated incident reporting occur, as required.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing malicious code protection capability].

SI-4 INFORMATION SYSTEM MONITORING

Control: The organization:

a. Monitors events on the information system in accordance with [Assignment: organization-defined monitoring objectives] and detects information system attacks;

b. Identifies unauthorized use of the information system;

c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;

d. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and

e. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

Supplemental Guidance: Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system (e.g., within internal organizational networks and system components). Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, at selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. The Einstein network monitoring device from the Department of Homeland Security is an example of a system monitoring device. The granularity of the information collected is determined by the organization based on its monitoring objectives and the capability of the information system to support such activities. An example of a specific type of transaction of interest to the organization with regard to monitoring is Hyper Text Transfer Protocol (HTTP) traffic that bypasses organizational HTTP proxies, when use of such proxies is required. Related controls: AC-4, AC-8, AC-17, AU-2, AU-6, SI-3, SI-7.

Control Enhancements:

Determine if: (i) the organization defines objectives for monitoring events on the information system; (ii) the organization monitors events on the information system in accordance with organization-defined objectives and detects information system attacks; (iii) the organization identifies unauthorized use of the information system; (iv) the organization deploys monitoring devices: strategically within the information system to collect organization-determined essential information; and at ad hoc locations within the system to track specific types of transactions of interest to the organization; (v) the organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and (vi) the organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

(1) The organization interconnects and configures individual intrusion detection tools into a systemwide intrusion detection system using common protocols.

Determine if the organization interconnects and configures individual intrusion detection tools into a system-wide intrusion detection system using common protocols.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Information system-wide intrusion detection capability].

(2) The organization employs automated tools to support near real-time analysis of events.

Determine if the organization employs automated tools to support near real-time analysis of events.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols documentation; other relevant documents or records].

Test: [SELECT FROM: Automated tools supporting near real-time event analysis].

(3) The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

Determine if the organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Automated tools supporting the integration of intrusion detection tools and access/flow control mechanisms].

(4) The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.

Enhancement Supplemental Guidance: Unusual/unauthorized activities or conditions include, for example, internal traffic that indicates the presence of malicious code within an information system or propagating among system components, the unauthorized export of information, or signaling to an external information system. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

Determine if the information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Automated tools supporting the integration of intrusion detection tools and access/flow control mechanisms].

(5) The information system provides near real-time alerts when the following indications of compromise or potential compromise occur: [Assignment: organization-defined list of compromise indicators].

Enhancement Supplemental Guidance: Alerts may be generated, depending on the organization-defined list of indicators, from a variety of sources, for example, audit records or input from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers.

Determine if: (i) the organization defines indicators of compromise or potential compromise to the security of the information system; and (ii) the information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occurs.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; security plan; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system monitoring real-time alert capability].

(6) The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.

Determine if the information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Information system-wide intrusion detection and prevention capability].

(7) The information system notifies [Assignment: organization-defined list of incident response personnel (identified by name and/or by role)] of suspicious events and takes [Assignment: organization-defined list of least-disruptive actions to terminate suspicious events].

Enhancement Supplemental Guidance: The least-disruptive actions may include initiating a request for human response.

Determine if: (i) the organization defines incident response personnel (identified by name and/or by role) to be notified of suspicious events; (ii) the organization defines least-disruptive actions to be taken by the information system to terminate suspicious events; (iii) the information system notifies organization-defined incident response personnel of suspicious events; and (iv) the information system takes organization-defined least-disruptive actions to terminate suspicious events.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols documentation; other relevant documents or records].

Test: [SELECT FROM: Information system notification capability].

(8) The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.

Determine if the organization protects information obtained from intrusion-monitoring tools from: unauthorized access; modification; and deletion.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

(9) The organization tests/exercises intrusion-monitoring tools [Assignment: organization-defined time-period].

Enhancement Supplemental Guidance: The frequency of testing/exercises is dependent upon the type and method of deployment of the intrusion-monitoring tools.

Determine if: (i) the organization defines the time period for testing/exercising intrusion-monitoring tools; and (ii) the organization tests/exercises intrusion-monitoring tools in accordance with organization-defined time period.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; documentation providing evidence of testing intrusion monitoring tools; other relevant documents or records].

(10) The organization makes provisions so that encrypted traffic is visible to information system monitoring tools.

Enhancement Supplemental Guidance: The enhancement recognizes the need to balance encrypting traffic versus the need to have insight into that traffic from a monitoring perspective. For some organizations, the need to ensure the confidentiality of traffic is paramount; for others, the mission-assurance concerns are greater.

Determine if the organization makes provisions so that encrypted traffic is visible to information system monitoring tools.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

(11) The organization analyzes outbound communications traffic at the external boundary of the system (i.e., system perimeter) and, as deemed necessary, at selected interior points within the system (e.g., subnets, subsystems) to discover anomalies.

Enhancement Supplemental Guidance: Anomalies within the information system include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.

Determine if the organization to discover anomalies analyzes outbound communications traffic at: the external boundary of the system (i.e., system perimeter); and as deemed necessary, at selected interior points within the system (e.g., subnets, subsystems).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system monitoring logs or records; other relevant documents or records].

(12) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that trigger alerts].

Determine if: (i) the organization defines inappropriate or unusual activities with security implications that should trigger alerts to security personnel; and (ii) the organization employs automated mechanisms to alert security personnel of the organization-defined inappropriate or unusual activities with security implications.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; list of inappropriate or unusual activities that trigger alerts; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing alerts to security personnel for inappropriate or unusual activities].

(13) The organization:

(a) Analyzes communications traffic/event patterns for the information system;

(b) Develops profiles representing common traffic patterns and/or events; and

(c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives to [Assignment: organization-defined measure of false positives] and the number of false negatives to [Assignment: organization-defined measure of false negatives].

Determine if: (i) the organization analyzes communications traffic/event patterns for the information system; (ii) the organization develops profiles representing common traffic patterns and/or events; (iii) the organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false positives and false negatives; and (iv) the organization uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and false negatives to their respective organization-defined measures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; list of common traffic patterns and/or events; information system protocols documentation; list of acceptable thresholds for false positives and false negatives; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

(14) The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

Determine if the organization employs a wireless intrusion detection system to: identify rogue wireless devices to the information system; detect attack attempts to the information system; and detect potential compromises/breaches to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing wireless communications intrusion detection capability].

(15) The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

Determine if the organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing wireless communications intrusion detection capability].

(16) The organization correlates information from monitoring tools employed throughout the information system to achieve organization-wide situational awareness.

Determine if the organization correlates information from monitoring tools employed throughout the information system to achieve organization-wide situational awareness.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; event correlation logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

(17) The organization correlates results from monitoring physical, cyber, and supply chain activities to achieve integrated situational awareness.

Enhancement Supplemental Guidance: Integrated situational awareness enhances the capability of the organization to more quickly detect sophisticated attacks and investigate the methods and techniques employed to carry out the attacks.

Determine if the organization correlates results from monitoring physical, cyber, and supply chain activities to achieve integrated situational awareness.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; event correlation logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system monitoring responsibilities].

SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES

Control: The organization:

a. Receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis;

b. Generates internal security alerts, advisories, and directives as deemed necessary;

c. Disseminates security alerts, advisories, and directives to [Assignment: organization-defined list of personnel (identified by name and/or by role)]; and

d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

Supplemental Guidance: Security alerts and advisories are generated by the United States Computer Emergency Readiness Team (US-CERT) to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse affects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner.

Control Enhancements:

Determine if: (i) the organization receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis; (ii) the organization generates internal security alerts, advisories, and directives; (iii) the organization defines personnel (identified by name and/or by role) who should receive security alerts, advisories, and directives; (iv) the organization disseminates security alerts, advisories, and directives to organization-identified personnel; and (v) the organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security alerts and advisories; records of security alerts and advisories; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security alert and advisory responsibilities; organizational personnel implementing, operating, maintaining, administering, and using the information system].

(1) The organization employs automated mechanisms to make security alert and advisory information available throughout the organization as needed.

Determine if the organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security alerts and advisories; information system design documentation; information system configuration settings and associated documentation; automated mechanisms supporting the distribution of security alert and advisory information; records of security alerts and advisories; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the distribution of security alert and advisory information].

SI-6 SECURITY FUNCTIONALITY VERIFICATION

Control: The information system verifies the correct operation of security functions [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; periodically every [Assignment: organization-defined time-period and [Selection (one or more): notifies system administrator; shuts the system down; restarts the system; [Assignment: organization-defined alternative action(s) when anomalies are discovered.

Supplemental Guidance: The need to verify security functionality applies to all security functions. For those security functions that are not able to execute automated self-tests, the organization either implements compensating security controls or explicitly accepts the risk of not performing the verification as required. Information system transitional states include, for example, startup, restart, shutdown, and abort.

Control Enhancements:

Determine if: (i) the organization defines the appropriate conditions, including the system transitional states if applicable, for verifying the correct operation of security functions; (ii) the organization defines for periodic security function verification, the frequency of the verifications; (iii) the organization defines information system responses and alternative action(s) to anomalies discovered during security function verification; (iv) the information system verifies the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification); and (v) the information system responds to security function anomalies in accordance with organization-defined responses and alternative action(s).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security function verification; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Security function verification capability].

(1) The information system provides notification of failed automated security tests.

Determine if the information system provides notification of failed automated security tests.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security function verification; information system design documentation; security plan; information system configuration settings and associated documentation; automated security test results; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing alerts and/or notifications for failed automated security tests].

(2) The information system provides automated support for the management of distributed security testing.

Determine if the information system provides automated support for the management of distributed security testing.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security function verification; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms supporting the management of distributed security function testing].

(3) The organization reports the result of security function verification to designated organizational officials with information security responsibilities.

Enhancement Supplemental Guidance: Organizational officials with information security responsibilities include, for example, senior information security officers, information system security managers, and information systems security officers.

Determine if: (i) the organization identifies organizational officials with information security responsibilities designated to receive the results of security function verification; and (ii) the organization reports the results of security function verification to designated organizational officials with information security responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing security function verification; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security functionality verification responsibilities; organizational personnel with information security responsibilities].

SI-7 SOFTWARE AND INFORMATION INTEGRITY

Control: The information system detects unauthorized changes to software and information.

Supplemental Guidance: The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions. The organization employs good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.

Control Enhancements:

Determine if the information system detects unauthorized changes to software and information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and applications documentation; other relevant documents or records].

Test: [SELECT FROM: Software integrity protection and verification capability].

(1) The organization reassesses the integrity of software and information by performing [Assignment: organization-defined frequency] integrity scans of the information system.

Determine if: (i) the organization defines the frequency of integrity scans to be performed on the information system; and (ii) the organization reassesses the integrity of software and information by performing integrity scans of the information system in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; security plan; information system configuration settings and associated documentation; integrity verification tools and applications documentation; records of integrity scans; other relevant documents or records].

(2) The organization employs automated tools that provide notification to designated individuals upon discovering discrepancies during integrity verification.

Determine if the organization employs automated tools that provide notification to designated individuals upon discovering discrepancies during integrity verification.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; information system configuration settings and associated documentation; integrity verification tools and applications documentation; records of integrity scans; automated tools supporting alerts and notifications for integrity discrepancies; other relevant documents or records].

(3) The organization employs centrally managed integrity verification tools.

Determine if the organization employs centrally managed integrity verification tools.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; information system configuration settings and associated documentation; integrity verification tools and applications documentation; records of integrity scans; other relevant documents or records].

(4) The organization requires use of tamper-evident packaging for [Assignment: organization-defined information system components] during [Selection: transportation from vendor to operational site; during operation; both].

Determine if: (i) the organization defines information system components that require use of tamper-evident packaging; (ii) the organization defines the conditions (i.e., transportation from vendor to operational site, during operation, both) under which tamper-evident packaging must be used for organization-defined information system components; and (iii) the organization requires use of tamper-evident packaging for organization-defined information system components during organization-defined conditions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing software and information integrity; information system component packaging; other relevant documents or records].

SI-8 SPAM PROTECTION

Control: The organization:

a. Employs spam protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means; and

b. Updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures.

Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, and remote-access servers. Related controls: SC-5, SI-3.

Control Enhancements:

Determine if: (i) the organization employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; (ii) the organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; and (iii) the organization updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures defined in CM-1.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing spam protection; information system design documentation; spam protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with spam protection responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing spam detection and handling capability].

(1) The organization centrally manages spam protection mechanisms.

Determine if the organization centrally manages spam protection mechanisms.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing spam protection; information system design documentation; spam protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].

(2) The information system automatically updates spam protection mechanisms (including signature definitions).

Determine if the information system automatically updates spam protection mechanisms (including signature definitions).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing spam protection; information system design documentation; spam protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].

SI-9 INFORMATION INPUT RESTRICTIONS

Control: The organization restricts the capability to input information to the information system to authorized personnel.

Supplemental Guidance: Restrictions on organizational personnel authorized to input information to the information system may extend beyond the typical access controls employed by the system and include limitations based on specific operational/project responsibilities. Related controls: AC-5, AC-6.

Control Enhancements: None.

Determine if the organization restricts the capability to input information to the information system to authorized personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information input restrictions; access control policy and procedures; separation of duties policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing restrictions on individual authorizations to input information into the information system].

SI-10 INFORMATION INPUT VALIDATION

Control: The information system checks the validity of information inputs.

Supplemental Guidance: Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify that inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands.

Control Enhancements: None.

Determine if the information system checks the validity of information inputs.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information validity; access control policy and procedures; separation of duties policy and procedures; documentation for automated tools and applications to verify validity of information; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system capability for checking validity of information inputs].

SI-11 ERROR HANDLING

Control: The information system:

a. Identifies potentially security-relevant error conditions;

b. Generates error messages that provide information necessary for corrective actions without revealing [Assignment: organization-defined sensitive or potentially harmful information] in error logs and administrative messages that could be exploited by adversaries; and

c. Reveals error messages only to authorized personnel.

Supplemental Guidance: The structure and content of error messages are carefully considered by the organization. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Sensitive information includes, for example, account numbers, social security numbers, and credit card numbers.

Control Enhancements: None.

Determine if: (i) the information system identifies potentially security-relevant error conditions; (ii) the organization defines sensitive or potentially harmful information that should not be contained in error logs and administrative messages; (iii) the information system generates error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited by adversaries; and (iv) the information system reveals error messages only to authorized personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system error handling; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system error handling capability].

SI-12 INFORMATION OUTPUT HANDLING AND RETENTION

Control: The organization handles and retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

Supplemental Guidance: The output handling and retention requirements cover the full life cycle of the information, in some cases extending beyond the disposal of the information system. The National Archives and Records Administration provides guidance on records retention. Related controls: MP-2, MP-4.

Control Enhancements: None.

Determine if: (i) the organization handles both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements; and (ii) the organization retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing information system output handling and retention; media protection policy and procedures; information retention records, other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information output handling and retention responsibilities].

SI-13 PREDICTABLE FAILURE PREVENTION

Control: The organization:

a. Protects the information system from harm by considering mean time to failure for [Assignment: organization-defined list of information system components] in specific environments of operation; and

b. Provides substitute information system components, when needed, and a mechanism to exchange active and standby roles of the components.

Supplemental Guidance: While mean time to failure is primarily a reliability issue, this control focuses on the potential failure of specific components of the information system that provide security capability. Mean time to failure rates are defendable and based on considerations that are installation-specific, not industry-average. The transfer of responsibilities between active and standby information system components does not compromise safety, operational readiness, or security (e.g., state variables are preserved). The standby component is available at all times except where a failure recovery is in progress or for maintenance reasons. Related control: CP-2.

Control Enhancements:

Determine if: (i) the organization defines information system components for which mean time to failure rates should be considered to protect the information system from harm; (ii) the organization protects the information system from harm by considering mean time to failure rates for organization-defined information system components in specific environments of operation; (iii) the organization provides substitute information system components, when needed; and (iv) the organization provides a mechanism to exchange active and standby roles of the components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with predictable failure prevention responsibilities].

(1) The organization takes the information system component out of service by transferring component responsibilities to a substitute component no later than [Assignment: organization-defined fraction or percentage] of mean time to failure.

Determine if: (i) the organization defines the maximum fraction or percentage of mean time to failure in order to transfer the responsibilities of an information system component that is out of service to a substitute component; and (ii) the organization takes the information system component out of service by transferring component responsibilities to a substitute component no later than the organization-defined fraction or percentage of mean time to failure.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organization personnel with predictable failure prevention responsibilities].

(2) The organization does not allow a process to execute without supervision for more than [Assignment: organization-defined time period].

Determine if: (i) the organization defines the time period that a process is allowed to execute without supervision; and (ii) the organization does not allow a process to execute without supervision for more than the organization-defined time period.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system predictable failure prevention capability].

(3) The organization manually initiates a transfer between active and standby information system components at least once per [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period].

Determine if: (i) the organization defines the minimum frequency with which the organization manually initiates a transfer between active and standby information system components if the mean time to failure exceeds the organization-defined time period; (ii) the organization defines the time period that the mean time to failure must exceed before the organization manually initiates a transfer between active and standby information system components; and (iii) the organization manually initiates a transfer between active and standby information system components at least once per the organization-defined frequency if the mean time to failure exceeds the organization-defined time period.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: SOrganizational personnel with predictable failure prevention responsibilities].

Test: [SELECT FROM: Information system predictable failure prevention capability].

(4) The organization, if an information system component failure is detected:

(a) Ensures that the standby information system component successfully and transparently assumes its role within [Assignment: organization-defined time period]; and

(b) [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system].

Enhancement Supplemental Guidance: Automatic or manual transfer of roles to a standby unit may occur upon detection of a component failure.

Determine if: (i) the organization defines the time period for a standby information system component to successfully and transparently assume the role of an information system component that has failed; (ii) the organization defines the organization-defined alarm when an information system component failure is detected; and (iii) the organization, if an information system component failure is detected: ensures that the standby information system component successfully and transparently assumes its role within the organization-defined time period; and activates the organization-defined alarm and/or automatically shuts down the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; list of actions to be taken once information system component failure is detected; other relevant documents or records].

Test: [SELECT FROM: Information system predictable failure prevention capability].