background - defense security service rmf ssp template … · web view10.12.6.1pe-6(1) –...
TRANSCRIPT
System Security Plan (SSP)Categorization: Moderate-Low-Low
Incorporates Classified, Closed Restricted Network/Local Area Network and Standalone Overlays
System Name Click here to enter text.Registration#/Unique ID Click here to enter text.Service/Agency Click here to enter text.Report Prepared By Click here to enter text.
Version 5Date 5 May 2023
System/Document Change RecordsINSTRUCTIONS (DELETE IN FINAL DOCUMENT. The system changes provided within this table must be incorporated into the security plan during the system’s re-authorization or when the system change is significant to completely invalidate the current security plan.
SSP Revision Number
Description of change
Changed Page(s) Date Entered BY
V1 Initial Document 25 Jan 16Revised 09 May 16 TLB
ii
INSTRUCTIONS (DELETE IN FINAL DOCUMENT): Click on the “Enter Name” entry below to type in the name.
Review and Approval of ControlsThe signatories below have reviewed and approved this System Security Plan (SSP). SCA Enter Name
X_____________________________________________
DAO-REPRESENTATIVE Enter Name
X_____________________________________________
iii
INSTRUCTIONS (DELETE IN FINAL DOCUMENT): Click on the “Enter Name” entry below to type in the name.
Program & Cybersecurity/Information Assurance Personnel
The signatories below attest that this System Security Plan (SSP) accurately reflects the security environment of the organization and system addressed in this SSP. FSO Enter Name
X_____________________________________________
ISSM Enter Name
X_____________________________________________
ISSO Enter Name
X_____________________________________________
iv
Table of Contents11 Background............................................................................................................................................................................12 Applicability............................................................................................................................................................................13 References..............................................................................................................................................................................14 Reciprocity.............................................................................................................................................................................15 System Identification..............................................................................................................................................................1
5.1 System Overview..........................................................................................................................................................15.2 Security Categorization.................................................................................................................................................1
5.2.1 Summary Results and Rationale..........................................................................................................................15.2.2 Categorization Detailed Results..........................................................................................................................1
Information Impact Categorization.....................................................................................................................................15.2.2.1 System Security Impact Categorization..........................................................................................................15.2.2.2 Risk Adjusted System Impact Categorization..................................................................................................2
5.2.3 Control Selection.................................................................................................................................................26 Key Roles and Responsibilities................................................................................................................................................2
6.1 Risk Management.........................................................................................................................................................26.2 IA Support Personnel....................................................................................................................................................3
7 System Environment..............................................................................................................................................................47.1 Physical Environment....................................................................................................................................................47.2 Facility/System Layout..................................................................................................................................................47.3 Personnel Authorizations..............................................................................................................................................47.4 System Classification Level(s) & Compartment(s).........................................................................................................47.5 Unique Data Handling Requirements............................................................................................................................47.6 Information Access Policies..........................................................................................................................................5
8 General System Description/Purpose.....................................................................................................................................58.1 System Description.......................................................................................................................................................58.2 System Architecture.....................................................................................................................................................58.3 Functional Architecture................................................................................................................................................58.4 User Roles and Access Privileges...................................................................................................................................5
9 Interconnections....................................................................................................................................................................59.1 Direct Network Connections.........................................................................................................................................59.2 Indirect Connections/Information Sharing....................................................................................................................69.3 Memoranda of Understanding (MOU), Memoranda of Agreement (MOA), Co-Utilization Agreements (CUA) and Interconnection Security Agreements (ISA).................................................................................................................................6
10 Baseline Security Controls......................................................................................................................................................210.1 Summary Listing of Required Controls for a Moderate – Low – Low (M-L-L) Baseline..................................................210.2 Access Control (AC).......................................................................................................................................................2
10.2.1 AC-1 – Access Control Policy and Procedures Requirements..............................................................................210.2.2 AC-2 – Account Management (+ Privacy Overlay)...............................................................................................2
10.2.2.1 AC-2 (1) – Account Management: Automated System Account Management (- Standalone Overlay)..........310.2.2.2 AC-2(2) – Account Management: Removal of Temporary/Emergency Accounts (- Standalone Overlay)......310.2.2.3 AC-2(3) – Account Management: Disable Inactive Accounts (- Standalone Overlay).....................................410.2.2.4 AC-2(4) – Account Management: Automated Audit Actions.........................................................................410.2.2.5 AC-2(5) – Account Management: Inactivity Logout.......................................................................................410.2.2.6 AC-2(7) – Account Management: Role Based Schemes (- Standalone Overlay).............................................510.2.2.7 AC-2(9) – Account Management: Restrictions on Use of Shared Groups/Accounts (+ Privacy Overlay) – NEW BASELINE....................................................................................................................................................................510.2.2.8 AC-2(10) – Account Management: Shared/Group Account Credential Termination – NEW BASELINE..........610.2.2.9 AC-2(12) – Account Management: Active Monitoring/Atypical Usage – NEW BASELINE..............................610.2.2.10 AC-2(13) – Account Management: Disable Accounts for High-Risk Individuals (+ Privacy Overlay) – NEW BASELINE 6
10.2.3 AC-3 – Access Enforcement (+ Privacy Overlay)..................................................................................................710.2.3.1 AC-3(2) – Access Enforcement: Dual Authorization (+ Classified Overlay) – NEW BASELINE.........................7
v
10.2.3.2 AC-3 (3) – Access Enforcement: Mandatory Access Control..........................................................................810.2.3.3 AC-3(4) – Access Enforcement: Discretionary Access Control (+ Classified Overlay) (- Standalone Overlay). .810.2.3.4 AC-3(6) – Access Enforcement: Protection of User and System Information – WITHDRAWN Incorporated into MP-4 and SC-28...........................................................................................................................................................9
10.2.4 AC-4 – Information Flow Enforcement................................................................................................................910.2.4.1 AC-4 (1) – Information Flow Enforcement: Object Security Attributes..........................................................910.2.4.2 AC-4 (9) – Information Flow Enforcement: Human Reviews........................................................................10
10.2.5 AC-5 – Separation of Duties (+ Classified Overlay)............................................................................................1010.2.6 AC-6 – Least Privilege (+ Classified & Privacy Overlay)......................................................................................11
10.2.6.1 AC-6(1) – Least Privilege: Authorize Access to Security Functions...............................................................1110.2.6.2 AC-6(2) – Least Privilege: Non-Privileged Access for Non-Security Functions..............................................1210.2.6.3 AC-6(5) – Least Privilege: Privileged Accounts.............................................................................................1210.2.6.4 AC-6(7) – Least Privilege: Review of User Privileges (+ Classified & Privacy Overlay) (- Standalone Overlay) – NEW BASELINE...............................................................................................................................................................1310.2.6.5 AC-6(8) – Least Privilege: Privilege Levels for Code Execution – NEW BASELINE.........................................1310.2.6.6 AC-6(9) – Least Privilege: Auditing Use of Privileged Functions – NEW BASELINE.......................................1410.2.6.7 AC-6(10) – Least Privilege: Prohibit Non-Privileged Users from Executing Privileged Functions – NEW BASELINE 14
10.2.7 AC-7 – Unsuccessful Login Attempts.................................................................................................................1510.2.7.1 AC-7 (2) – Unsuccessful Logon Attempts: Purge-Wipe Mobile Device (+ Classified & Intelligence Overlay) 15
10.2.8 AC-8 – System Use Notification.........................................................................................................................1510.2.9 AC-9 – Previous Logon (Access) Notification (+ Classified) – NEW.....................................................................1610.2.10 AC-10 – Concurrent Session Control (- Standalone Overlay) – NEW BASELINE.................................................1710.2.11 AC-11 – Session Lock (+ Classified)....................................................................................................................17
10.2.11.1 AC-11(1) – Session Lock: Pattern Hiding Displays (+ Classified Overlay)......................................................1810.2.12 AC-12 – Session Termination – NEW BASELINE.................................................................................................18
10.2.12.1 AC-12(1) – Session Termination: User-Initiated Logouts/Message Displays – NEW BASELINE....................1910.2.13 AC-14 – Permitted Actions without Identification or Authentication................................................................19
10.2.13.1 AC-14(1) - Permitted Actions without Identification or Authentication: Necessary Uses WITHDRAWN Incorporated into AC-14...................................................................................................................................................19
10.2.14 AC-16 – Security Attributes (+ Classified & Privacy Overlay) – NEW BASELINE..................................................1910.2.14.1 AC-16(3) – Security Attributes: Maintenance of Attribute Associations by Information System (+ Privacy Overlay) - NEW.................................................................................................................................................................2010.2.14.2 AC-16(5) – Security Attributes: Attribute Displays for Output Devices (+ Classified Overlay) – NEW...........2110.2.14.3 AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization (+ Classified Overlay) – NEW 2110.2.14.4 AC-16(7) – Security Attributes: Consistent Attribute Interpretation (+ Classified Overlay) (- Standalone Overlay) – NEW.................................................................................................................................................................21
10.2.15 AC-17 – Remote Access (- Standalone & CRN Overlay).....................................................................................2210.2.15.1 AC-17(1) – Remote Access: Automated Monitoring/Control (- Standalone & CRN Overlay).......................2210.2.15.2 AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption (- Standalone & CRN Overlay) 2310.2.15.3 AC-17(3) - Remote Access: Managed Access Control Points (- Standalone & CRN Overlay)........................2310.2.15.4 AC-17(4) – Remote Access: Privileged Commands/Access (- Standalone & CRN Overlay)...........................2310.2.15.5 AC-17(6) – Remote Access: Protection of Information (- Standalone & CRN Overlay).................................2410.2.15.6 AC-17(7) – Remote Access: Additional Protection for Security Function Areas WITHDRAWN Incorporated Into AC-3(10)....................................................................................................................................................................2410.2.15.7 AC-17(8) – Remote Access: Disable Nonsecure Network Protocols WITHDRAWN Incorporated Into CM-7 2410.2.15.8 AC-17(9) – Remote Access: Disconnect/Disable Access (- Standalone Overlay) – NEW BASELINE...............24
10.2.16 AC-18 – Wireless Access (+ Classified Overlay) (- Standalone Overlay).............................................................2510.2.16.1 AC-18(1) – Wireless Access: Authentication & Encryption (- Standalone Overlay)......................................2510.2.16.2 AC-18(2) – Wireless Access: Monitoring Unauthorized Connections WITHDRAWN Incorporated Into SI-4 2610.2.16.3 AC-18(3) – Wireless Access: Disable Wireless Networking (+ Classified Overlay) (- Standalone Overlay)....2610.2.16.4 AC-18(4) – Wireless Access: Restrict Configurations by Users (+ Classified Overlay) (- Standalone Overlay)
2610.2.17 AC-19 – Access Control for Mobile Devices (+ Classified)..................................................................................26
10.2.17.1 AC-19(1) – Access Control for Mobile Devices: Use of Writable/Portable Storage Devices WITHDRAWN Incorporated Into MP-7....................................................................................................................................................28
vi
10.2.17.2 AC-19(2) – Access Control for Mobile Devices: Use of Personally-Owned Portable Storage Devices WITHDRAWN Incorporated Into MP-7..............................................................................................................................2810.2.17.3 AC-19(3) – Access Control for Mobile Devices: Use of Portable Storage Devices with No Identifiable Owner WITHDRAWN Incorporated Into MP-7..............................................................................................................................2810.2.17.4 AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption (+ Privacy Overlay) – NEW BASELINE...............................................................................................................................................................28
10.2.18 AC-20 – Use of External Information Systems (+ Classified)..............................................................................2810.2.18.1 AC-20(1) – Use of External Information Systems: Limits on Authorized Use (+ Classified & Privacy Overlay) (- Standalone & CRN Overlay)...........................................................................................................................................2910.2.18.2 AC-20(2) – Use of External Information Systems: Portable Storage Devices (+ Classified Overlay) (- CRN Overlay) 2910.2.18.3 AC-20(3) – Use of External Information Systems/Non-Organizationally Owned Systems-Components-Devices (+ Classified) – NEW BASELINE.............................................................................................................................3010.2.18.4 AC-20(4) – Use of External Information Systems: Network Accessible Storage Devices (+ Classified Overlay) (- Standalone Overlay) – NEW...........................................................................................................................................30
10.2.19 AC-21 – Information Sharing ()..........................................................................................................................3110.2.19.1 AC-21 (1) – Information Sharing: Automated Decision Support..................................................................31
10.2.20 AC-22 – Publicly Accessible Content)(- Standalone & CRN Overlay)..................................................................3210.2.21 AC-23 – Data Mining Protection (+ Classified) (- Standalone Overlay) – NEW BASELINE...................................32
10.3 Awareness and Training (AT)......................................................................................................................................3410.3.1 AT-1 – Security Awareness & Training Policy and Procedures...........................................................................3410.3.2 AT-2 – Security Awareness (+ Classified)...........................................................................................................34
10.3.2.1 AT-2(2) – Security Awareness: Insider Threat (+ Classified Overlay) – NEW BASELINE................................3410.3.3 AT-3 – Role-Based Security Training..................................................................................................................35
10.3.3.1 AT-3(2) – Security Training: Physical Security Controls................................................................................3510.3.3.2 AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior – NEW BASELINE
3510.3.4 AT-4 – Security Training Records.......................................................................................................................3610.3.5 AT-5 – Contacts with Security Groups and Associations WITHDRAWN Incorporated into PM-5.......................36
10.4 Audit and Accountability (AU).....................................................................................................................................3710.4.1 AU-1 – Audit and Accountability Policy and Procedures...................................................................................3710.4.2 AU-2 – Auditable Events....................................................................................................................................37
10.4.2.1 AU-2(3) – Auditable Events: Reviews and Updates......................................................................................3810.4.2.2 AU-2(4) – Audit Events: Privileged Functions WITHDRAWN Incorporated Into AC-6(9)..............................38
10.4.3 AU-3 – Content of Audit Records (+ Privacy Overlay)........................................................................................3810.4.3.1 AU-3(1) – Content of Audit Records: Additional Audit Information.............................................................39
10.4.4 AU-4 – Audit Storage Capacity (+ Privacy Overlay) (- Standalone Overlay).......................................................3910.4.4.1 AU-4(1) – Audit Storage: Transfer to Alternate Storage (- Standalone Overlay) – NEW BASELINE..............40
10.4.5 AU-5 – Response to Audit Processing Failures (- Standalone Overlay)..............................................................4010.4.5.1 AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity (- Standalone Overlay)..............41
10.4.6 AU-6 – Audit Review, Analysis and Reporting (+ Classified Overlay).................................................................4110.4.6.1 AU-6(1) – Audit Review, Analysis and Reporting: Process Integration (- Standalone Overlay)....................4210.4.6.2 AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories (+ Privacy Overlay) (- Standalone Overlay).........................................................................................................................................................4210.4.6.3 AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis (+ Classified Overlay) – NEW BASELINE 4210.4.6.4 AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities (+ Classified Overlay) – NEW.................................................................................................................................................................4310.4.6.5 AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands (+ Classified Overlay) – NEW.................................................................................................................................................................4310.4.6.6 AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources (+ Classified Overlay) – NEW.............................................................................................................................................4410.4.6.7 AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment – NEW BASELINE.....................44
10.4.7 AU-7 – Audit Reduction and Report Generation (+ Privacy Overlay) (- Standalone Overlay)............................4410.4.7.1 AU-7(1) – Audit Reduction and Report Generation: Automatic Processing (- Standalone Overlay).............45
10.4.8 AU-8 – Time Stamps..........................................................................................................................................4510.4.8.1 AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source (- Standalone Overlay).........46
10.4.9 AU-9 – Protection of Audit Information (+ Privacy Overlay)..............................................................................46
vii
10.4.9.1 AU-9(2) – Protection of Audit Information: Audit Backup on Separate Physical Systems/Components......4710.4.9.2 AU-9(3) – Protection of Audit Information: Cryptographic Protection (+ Privacy Overlay) - NEW...............4710.4.9.3 AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users (- Standalone Overlay)...47
10.4.10 AU-10 – Non-Repudiation - NEW......................................................................................................................4810.4.10.1 AU-10(1) – Non-Repudiation: Association of Identities...............................................................................4810.4.10.2 AU-10(5) – Non-Repudiation: Digital Signatures (+Intelligence Overlay) – WITHDRAWN Incorporated into SI-7 49
10.4.11 AU-11 – Audit Record Retention.......................................................................................................................4910.4.11.1 AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability – NEW BASELINE................................49
10.4.12 AU-12 – Audit Generation (+ Classified Overlay)...............................................................................................4910.4.12.1 AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail – NEW BASELINE...........................5010.4.12.2 AU-12(3) – Audit Generation: Changes by Authorized Individuals – NEW BASELINE...................................50
10.4.13 AU-13 – Monitoring for Information Disclosure................................................................................................5110.4.14 AU-14 – Session Audit (+ Classified Overlay) – NEW BASELINE.........................................................................51
10.4.14.1 AU-14(1) – Session Audit: System Start-Up – NEW BASELINE......................................................................5110.4.14.2 AU-14(2) – Session Audit: Capture/Record and Log Content – NEW BASELINE...........................................5210.4.14.3 AU-14(3) – Session Audit: Remote Viewing/Listening – NEW BASELINE......................................................52
10.4.15 AU-16 – Cross-Organizational Training (+ Classified Overlay) – NEW................................................................5210.4.15.1 AU-16(1) – Cross-Organizational Auditing: Identity Preservation (+ Classified Overlay) – NEW...................5310.4.15.2 AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information (+ Classified Overlay) – NEW......53
10.5 Security Assessment and Authorization (CA)..............................................................................................................5410.5.1 CA-1 – Security Assessment and Authorization Policies & Procedures..............................................................5410.5.2 CA-2 – Security Assessments.............................................................................................................................54
10.5.2.1 CA-2(1) – Security Assessments: Independent Assessors (- Standalone Overlay)........................................5510.5.3 CA-3 – Information System Connections (+ Classified Overlay) (- Standalone Overlay).....................................55
10.5.3.1 CA-3(1) – Information System Connections: Unclassified National Security System Connections (- Standalone & CRN Overlay)..............................................................................................................................................5610.5.3.2 CA-3(2) – Information System Connections: Classified National Security System Connections (+ Classified Overlay) (- Standalone & CRN Overlay).............................................................................................................................5710.5.3.3 CA-3(3) – Information System Connections: Unclassified Non-National Security System Connections (+ Privacy Overlay) – NEW....................................................................................................................................................5710.5.3.4 CA-3(5) – Information System Connections: Restrictions on External Network Connections – NEW BASELINE 57
10.5.4 CA-5 – Plan of Action & Milestones...................................................................................................................5810.5.5 CA-6 – Security Authorization...........................................................................................................................5810.5.6 CA-7 – Continuous Monitoring..........................................................................................................................59
10.5.6.1 CA-7(1) – Continuous Monitoring: Independent Assessment (- Standalone Overlay)..................................6010.5.7 CA-9 – Internal System Connections – NEW BASELINE......................................................................................60
10.6 Configuration Management (CM)...............................................................................................................................6210.6.1 CM-1 – Configuration Management Policy and Procedures..............................................................................6210.6.2 CM-2 – Baseline Configuration..........................................................................................................................62
10.6.2.1 CM-2(1) – Baseline Configuration: Reviews & Updates...............................................................................6210.6.2.2 CM-2 (5) – Baseline Configuration: Authorized Software WITHDRAWN Incorporated Into CM-7...............63
10.6.3 CM-3 – Configuration Change Control...............................................................................................................6310.6.3.1 CM-3(4) – Configuration Change Control: Security Representative..............................................................6410.6.3.2 CM-3(6) – Configuration Change Control: Cryptography Management (+ Classified Overlay) – NEW BASELINE 64
10.6.4 CM-4 – Security Impact Analysis)......................................................................................................................6510.6.5 CM-5 – Access Restrictions for Change.............................................................................................................66
10.6.5.1 CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges (+ Classified Overlay) (- Standalone Overlay).........................................................................................................................................................6610.6.5.2 CM-5(6) – Access Restrictions for Change: Limit Library Privileges..............................................................67
10.6.6 CM-6 – Configuration Settings...........................................................................................................................6710.6.6.1 CM-6(3) – Configuration Settings: Unauthorized Change Detection WITHDRAWN Incorporated Into SI-7. 6810.6.6.2 CM-6(4) – Configuration Settings: Conformance Demonstration WITHDRAWN Incorporated Into CM-4....68
10.6.7 CM-7 – Least Functionality................................................................................................................................6810.6.7.1 CM-7(1) – Least Functionality: Periodic Review (- Standalone Overlay)......................................................6910.6.7.2 CM-7(2) – Least Functionality: Prevent Program Execution (- Standalone Overlay)....................................69
viii
10.6.7.3 CM-7(3) – Least Functionality: Registration Compliance (- Standalone Overlay).........................................6910.6.7.4 CM-7(5) – Least Functionality: Authorized Software/Whitelisting – NEW BASELINE...................................70
10.6.8 CM-8 – Information System Component Inventory...........................................................................................7110.6.8.1 CM-8(2) – Information System Component Inventory: Automated Maintenance (- Standalone Overlay) – NEW BASELINE..................................................................................................................................................................7110.6.8.2 CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection (- Standalone Overlay) – NEW BASELINE..............................................................................................................................72
10.6.9 CM-9 – Configuration Management Plan..........................................................................................................7210.6.10 CM-10 – Software Usage Restrictions – NEW BASELINE....................................................................................73
10.6.10.1 CM-10(1) – Software Usage Restrictions: Open Source Software – NEW BASELINE....................................7410.6.11 CM-11 – User Installed Software – NEW BASELINE...........................................................................................74
10.6.11.1 CM-11(2) – User Installed Software: Prohibit Installation with Privileged Status – NEW BASELINE.............7510.7 Contingency Planning (CP)..........................................................................................................................................76
10.7.1 CP-1 – Contingency Planning Policy and Procedures.........................................................................................7610.7.2 CP-2 – Contingency Plan – Maybe tailorout based on contract requirements..................................................7610.7.3 CP-3 – Contingency Training..............................................................................................................................7710.7.4 CP-4 – Contingency Plan Testing and Exercises.................................................................................................7710.7.5 CP-6 - Alternate Storage Site (BASELINE)...........................................................................................................7810.7.6 CP-7 – Alternate Processing Site (- Standalone Overlay)...................................................................................78
10.7.6.1 CP-7 (5) – Alternate Processing Site: Equivalent Information Security Safeguards WITHDRAWN Incorporated Into CP-7.....................................................................................................................................................79
10.7.7 CP-9 – Information System Backup...................................................................................................................7910.7.7.1 CP-9(1) – Information System Backup: Testing for Reliability/Integrity - BASELINE.....................................80
10.7.8 CP-10 – Information System Recovery and Reconstitution...............................................................................8010.8 Identification and Authentication (IA).........................................................................................................................82
10.8.1 IA – 1 – Identification and Authentication Policy and Procedures.....................................................................8210.8.2 IA-2 – Identification and Authentication (Organizational Users) (+ Classified)..................................................82
10.8.2.1 IA-2(1) – Identification and Authentication (Organizational Users): Network Access to Privileged Accounts (+ Classified Overlay) (- Standalone Overlay)....................................................................................................................8210.8.2.2 IA-2(2) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (- Standalone Overlay)........................................................................................................................................8310.8.2.3 IA-2(3) – Identification and Authentication: Local Access to Privileged Accounts (- Standalone Overlay). . .8310.8.2.4 IA-2(4) – Identification and Authentication: Local Access to Non-Privileged Accounts (- Standalone Overlay)
8310.8.2.5 IA-2(5) – Identification and Authentication: Group Authentication (- Standalone Overlay).........................8410.8.2.6 IA-2(8) – Identification and Authentication: Network Access to Privileged Accounts – Replay Resistant (- Standalone Overlay).........................................................................................................................................................8410.8.2.7 IA-2(9) – Identification and Authentication (Organizational Users): Network Access to Non-Privileged Accounts – Replay Resistant (- Standalone Overlay).........................................................................................................8510.8.2.8 IA-2(11) – Identification and Authentication (Organizational Users): Remote Access-Separate Device (- Standalone Overlay) – NEW BASELINE..............................................................................................................................8510.8.2.9 IA-2(12) – Identification and Authentication (Organizational Users): Acceptance of PIV Credentials (- Standalone Overlay) – NEW BASELINE..............................................................................................................................86
10.8.3 IA-3 – Device Identification and Authentication (- Standalone Overlay)............................................................8610.8.3.1 IA-3(1) – Device Identification and Authentication: Cryptographic Bi-Directional Authentication (- Standalone Overlay).........................................................................................................................................................8710.8.3.2 IA-4 – Identifier Management......................................................................................................................8710.8.3.3 IIA-4(4) – Identifier Management: Identify User Status (- Standalone Overlay)...........................................88
10.8.4 IA-5 – Authenticator Management....................................................................................................................8810.8.4.1 IA-5(1) – Authenticator Management: Password-Based Authentication.....................................................8910.8.4.2 IA-5(2) – Authenticator Management: PKI-Based Authentication (- Standalone Overlay)...........................9010.8.4.3 IA-5(4) – Authenticator Management: Automated Support for Password Strength Determination............9010.8.4.4 IA-5(7) – Authenticator Management: No Embedded Unencrypted Static Authenticators.........................9110.8.4.5 IA-5(8) – Authenticator Management: Multiple Information System Accounts...........................................9110.8.4.6 IA-5(11) – Authenticator Management: Hardware Token-Based Authentication – NEW BASELINE............9210.8.4.7 IA-5(13) – Authenticator Management: Expiration of Cached Authenticators (- Standalone Overlay) – NEW BASELINE 92
ix
10.8.4.8 IA-5(14) – Authenticator Management: Managing Content of PKI Trust Stores (- Standalone Overlay) – NEW BASELINE..................................................................................................................................................................92
10.8.5 IA-6 – Authenticator Feedback..........................................................................................................................9310.8.6 IA-7 – Cryptographic Module Authentication....................................................................................................9310.8.7 IA-8 – Identification and Authentication (Non-Organizational Users) (- Standalone Overlay)...........................94
10.8.7.1 IA-8(1) – Identification and Authentication (Non-Organizational Users): Acceptance of PIV Credentials from Other Agencies (- Standalone Overlay) – NEW BASELINE.................................................................................................9410.8.7.2 IA-8(2) – Identification and Authentication (Non-Organizational Users): Acceptance of Third-Party Credentials (- Standalone Overlay) – NEW BASELINE........................................................................................................9410.8.7.3 IA-8(3) – Identification and Authentication (Non-Organizational Users): Use of FICAM Approved Products (- Standalone Overlay) – NEW BASELINE...........................................................................................................................9510.8.7.4 IA-8(4) - Identification and Authentication (Non-Organizational Users): Use of FICAM Issued Profiles (- Standalone Overlay) – NEW BASELINE..............................................................................................................................95
10.9 Incident Response (IR)................................................................................................................................................9710.9.1 IR-1 – Incident Response Policy and Procedures...............................................................................................9710.9.2 IR-2 – Incident Response Training.....................................................................................................................9710.9.3 IR-3 – Incident Response Testing.......................................................................................................................97
10.9.3.1 IR-3(2) – Incident Response Testing and Exercises: Coordination with Related Plans – NEW BASELINE......9810.9.4 IR-4 – Incident Handling....................................................................................................................................98
10.9.4.1 IR-4(1) – Incident Handling: Automated Incident Handling Processes.........................................................9910.9.4.2 IR-4(3) – Incident Handling: Continuity of Operations.................................................................................9910.9.4.3 IR-4(4) – Incident Handling: Information Correlation..................................................................................9910.9.4.4 IR-4(6) – Incident Handling: Insider Threats – Specific Capabilities – NEW BASELINE................................10010.9.4.5 IR-4(7) – Incident Handling: Insider Threats – Intra-Organization Coordination – NEW BASELINE............10010.9.4.6 IR-4(8) – Incident Handling: Correlation with External Organization – NEW BASELINE..............................100
10.9.5 IR-5 – Incident Monitoring..............................................................................................................................10110.9.6 IR-6 – Incident Reporting.................................................................................................................................101
10.9.6.1 IR-6(1) – Incident Reporting: Automated Reporting..................................................................................10210.9.6.2 IR-6(2) – Incident Reporting: Vulnerabilities Related to Incidents..............................................................102
10.9.7 IR-7 – Incident Response Assistance................................................................................................................10310.9.7.1 IR-7(1) – Incident Response Assistance: Automation Support for Availability of Information...................10310.9.7.2 IR-7(2) – Incident Response Assistance: Coordination with External Providers.........................................104
10.9.8 IR-8 – Incident Response Plan.........................................................................................................................10410.9.9 IR-9 – Information Spillage Response (+ Classified Overlay) – NEW BASELINE................................................105
10.9.9.1 IR-9(1) – Information Spillage Response: Responsible Personnel (+ Classified Overlay) – NEW BASELINE 10510.9.9.2 IR-9(2) – Information Spillage Response: Training (+ Classified Overlay) – NEW BASELINE.......................10610.9.9.3 IR-9(4) – Information Spillage Response: Exposure to Unauthorized Personnel (+ Classified Overlay) – NEW BASELINE 106
10.9.10 IR-10 – Integrated Information Security Cell (+ Privacy Overlay) – NEW BASELINE.........................................10610.10 Maintenance (MA)....................................................................................................................................................108
10.10.1 MA-1 – System Maintenance Policy and Procedures......................................................................................10810.10.2 MA-2 – Controlled Maintenance.....................................................................................................................10810.10.3 MA-3 – Maintenance Tools.............................................................................................................................109
10.10.3.1 MA-3(1) – Maintenance Tools: Inspect Tools............................................................................................10910.10.3.2 MA-3(2) – Maintenance Tools: Inspect Media...........................................................................................10910.10.3.3 MA-3(3) – Maintenance Tools: Prevent Unauthorized Removal (+ Classified Overlay)..............................110
10.10.4 MA-4 – Non-Local Maintenance (- Standalone Overlay).................................................................................11010.10.4.1 MA-4(1) – Non-Local Maintenance: Auditing and Review.........................................................................11110.10.4.2 MA-4(3) – Non-Local Maintenance: Comparable Security/Sanitization (- Standalone Overlay)................11110.10.4.3 MA-4(6) – Non-Local Maintenance: Cryptographic Protection (+ Privacy Overlay) (- Standalone Overlay)
11210.10.4.4 MA-4(7) – Non-Local Maintenance: Remote Disconnect Verification (- Standalone Overlay)...................112
10.10.5 MA-5 – Maintenance Personnel......................................................................................................................11310.10.5.1 MA-5(1) – Maintenance Personnel: Individuals without Appropriate Access (+ Classified Overlay)..........11310.10.5.2 MA-5(2) – Maintenance Personnel: Security Clearances for Classified Systems........................................11410.10.5.3 MA-5(3) – Maintenance Personnel: Citizenship Requirements for Classified Systems..............................11410.10.5.4 MA-5(4) – Maintenance Personnel: Foreign Nationals..............................................................................115
10.11 Media Protection (MP).............................................................................................................................................116
x
10.11.1 MP-1 – Media Protection Policy and Procedures............................................................................................11610.11.2 MP-2 – Media Access (+ Classified).................................................................................................................116
10.11.2.1 MP-2(2) – Media Access: Cryptographic Protection WITHDRAWN Incorporated Into SC-28.....................11610.11.3 MP-3 – Media Marking (+ Classified)...............................................................................................................11610.11.4 MP-4 – Media Storage (+ Classified)................................................................................................................11710.11.5 MP-5 – Media Transport (+ Classified)............................................................................................................118
10.11.5.1 MP-5(3) – Media Transport: Custodians (+ Classified Overlay) – NEW.......................................................11810.11.5.2 MP-5(4) – Media Transport: Cryptographic Protection (+ Classified)........................................................119
10.11.6 MP-6 – Media Sanitization (+ Classified).........................................................................................................11910.11.6.1 MP-6(1) – Media Sanitization: Review/Approve/Track/Document/Verify (+ Classified)............................12010.11.6.2 MP-6(2) – Media Sanitization: Equipment Testing (+ Classified Overlay)...................................................12010.11.6.3 MP-6(3) – Media Sanitization: Non-Destructive Techniques (+ Classified Overlay)..................................12010.11.6.4 MP-6(4) – Media Sanitization: Controlled Unclassified Information WITHDRAWN Incorporated Into MP-6
12110.11.6.5 MP-6(5) – Media Sanitization: Classified Information WITHDRAWN Incorporated Into MP-6...................12110.11.6.6 MP-6(6) – Media Sanitization: Media Destruction WITHDRAWN Incorporated Into MP-6........................121
10.11.7 MP-7 – Media Use (+ Classified Overlay) – NEW BASELINE.............................................................................12110.11.7.1 MP-7(1) – Media Use: Prohibit Use without Owner – NEW BASELINE.......................................................121
10.11.8 MP-8 – Media Downgrading (+ Classified Overlay) – NEW..............................................................................12210.11.8.1 MP-8(1) – Media Downgrading: Documentation of Process (+ Classified Overlay) – NEW.........................12210.11.8.2 MP-8(2) – Media Downgrading: Equipment Testing (+ Classified Overlay) – NEW....................................12310.11.8.3 MP-8(4) – Media Downgrading: Classified Information (+ Classified Overlay) – NEW...............................123
10.12 Physical and Environment Protection (PE)................................................................................................................12410.12.1 PE-1 – Physical and Environmental Protection Policy and Procedures............................................................12410.12.2 PE-2 – Physical Access Authorizations.............................................................................................................124
10.12.2.1 PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access (+ Classified Overlay) – NEW........12410.12.3 PE-3 – Physical Access Control........................................................................................................................125
10.12.3.1 PE-3(1) – Physical Access Control: Information System Access – NEW BASELINE......................................12510.12.3.2 PE-3(2) – Physical Access Control: Facility/Information System Boundaries (+ Classified Overlay)............12610.12.3.3 PE-3(3) – Physical Access Control: Continuous Guards/Alarms/Monitoring (+ Classified Overlay)............126
10.12.4 PE-4 – Access Control for Transmission Medium (+ Classified Overlay) (- Standalone Overlay)......................12710.12.5 PE-5 – Access Control for Output Devices.......................................................................................................127
10.12.5.1 PE-5(3) – Access Control for Output Devices: Marking Output Devices (+ Classified Overlay) – NEW.......12710.12.6 PE-6 – Monitoring Physical Access..................................................................................................................128
10.12.6.1 PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment – NEW BASELINE.........12810.12.7 PE-7 – Visitor Control includes PE-7(1) – Visitor Control: Visitor Escort and PE-7(2) – Visitor Control: Visitor Identification – WITHDRAWN Incorporated into PE-2 and PE-3..........................................................................................12910.12.8 PE-8 – Access Records.....................................................................................................................................12910.12.9 PE-12 – Emergency Lighting............................................................................................................................12910.12.10 PE-13 – Fire Protection....................................................................................................................................12910.12.11 PE-14 – Temperature and Humidity Controls..................................................................................................13010.12.12 PE-15 – Water Damage Protection..................................................................................................................13010.12.13 PE-16 – Delivery and Removal.........................................................................................................................13110.12.14 PE-17 – Alternate Work Site............................................................................................................................13110.12.15 PE-19 – Information Leakage (+ Classified Overlay)........................................................................................131
10.12.15.1 PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures (+ Classified Overlay) 132
10.13 Planning (PL).............................................................................................................................................................13310.13.1 PL-1 – Security Planning Policy and Procedures..............................................................................................13310.13.2 PL-2 – System Security Plan.............................................................................................................................133
10.13.2.1 PL-2(3) – System Security Plan: Coordinate with Organization Entities – NEW BASELINE.........................13410.13.3 PL-4 – Rules of Behavior..................................................................................................................................135
10.13.3.1 PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions – NEW BASELINE........................13510.13.4 PL-5 – Privacy Impact Assessment – WITHDRAWN Incorporated into Appendix J, AR-2.................................13610.13.5 PL-6 – Security-Related Activity Planning – WITHDRAWN Incorporated into PL-2..........................................13610.13.6 PL-8 – Information Security Architecture– NEW BASELINE.............................................................................136
10.13.6.1 PL-8(1) – Information Security Architecture: Defense in Depth – NEW BASELINE.....................................13610.13.6.2 PL-8(2) – Information Security Architecture: Supplier Diversity – NEW BASELINE.....................................137
xi
10.14 Personnel Security (PS).............................................................................................................................................13810.14.1 PS-1 – Personnel Security Policy and Procedures............................................................................................13810.14.2 PS-2 – Position Categorization.........................................................................................................................13810.14.3 PS-3 – Personnel Screening.............................................................................................................................138
10.14.3.1 PS-3(1) – Personnel Screening: Classified Information (+ Classified Overlay)............................................13810.14.3.2 PS-3(3) – Personnel Screening: Information With Special Protection Measures (+ Privacy Overlay) – NEW
13910.14.4 PS-4 – Personnel Termination (+ Classified)....................................................................................................139
10.14.4.1 PS-4(1) – Personnel Termination: Post-Termination Requirements (+ Classified Overlay) – NEW BASELINE140
10.14.5 PS-5 – Personnel Transfer...............................................................................................................................14010.14.6 PS-6 – Access Agreements...............................................................................................................................141
10.14.6.1 PS-6(1) – Access Agreements: Information Requiring Special Protection – WITHDRAWN Incorporated into PS-3 14210.14.6.2 PS-6(2) – Access Agreements: Classified Information Requiring Special Protection (+ Classified Overlay) 14210.14.6.3 PS-6(3) – Access Agreements: Post-Employment Requirements (+ Classified Overlay) – NEW BASELINE. 142
10.14.7 PS-7 – Third-Party Personnel Security.............................................................................................................14310.14.8 PS-8 - Personnel Sanctions..............................................................................................................................143
10.15 Risk Assessment (RA)................................................................................................................................................14510.15.1 RA-1 – Risk Assessment Policy and Procedures...............................................................................................14510.15.2 RA-2 – Security Categorization........................................................................................................................14510.15.3 RA-3 – Risk Assessment...................................................................................................................................14510.15.4 RA-5 – Vulnerability Scanning.........................................................................................................................146
10.15.4.1 RA-5(1) – Vulnerability Scanning: Update Tool Capability.........................................................................14710.15.4.2 RA-5(2) – Vulnerability Scanning: Update by Frequency/Prior to New Scan/When Identified..................14710.15.4.3 RA-5(4) – Vulnerability Scanning: Discoverable Information.....................................................................14810.15.4.4 RA-5(5) – Vulnerability Scanning: Privileged Access..................................................................................14810.15.4.5 RA-5(7) – Vulnerability Scanning: Automated Detection and Notification of Unauthorized Components – WITHDRAWN Incorporated into CM-8............................................................................................................................148
10.15.5 RA-6 – Technical Surveillance Countermeasures Survey (+ Classified Overlay) – NEW...................................14810.16 System and Services Acquisition...............................................................................................................................150
10.16.1 SA-1 – System and Services Acquisition Policy and Procedures.......................................................................15010.16.2 SA-2 – Allocation of Resources........................................................................................................................15010.16.3 SA-3 – System Development Life Cycle...........................................................................................................15010.16.4 SA-4 – Acquisition Process...............................................................................................................................151
10.16.4.1 SA-4(1) – Acquisition Process: Functional Properties of Security Controls – NEW BASELINE.....................15110.16.4.2 SA-4(2) – Acquisition Process: Design/Implementation Information for Security Controls (- Standalone Overlay) – NEW BASELINE...............................................................................................................................................15210.16.4.3 SA-4(6) – Acquisition Process: Use of Information Assurance Products (+ Classified Overlay)..................15210.16.4.4 SA-4(7) – Acquisition Process: NIAP Approved Protection Profiles – NEW BASELINE................................15210.16.4.5 SA-4(9) – Acquisition Process: Functions/Ports/Protocols/Services in Use – NEW BASELINE....................15310.16.4.6 SA-4(10) – Acquisition Process: Use of Approved PIV Products (- Standalone Overlay) – NEW BASELINE.153
10.16.5 SA-5 – Information System Documentation....................................................................................................15410.16.5.1 SA-5 (1) – Information System Documentation: Functional Properties of Security Controls – WITHDRAWN Incorporated into SA-4(1)...............................................................................................................................................15510.16.5.2 SA-5(2) – Information System Documentation: Security Relevant External System Interfaces – WITHDRAWN Incorporated into SA-4(2).........................................................................................................................155
10.16.6 SA-6 - Software Usage Restrictions – WITHDRAWN Incorporated into CM-10 and SI-7..................................15510.16.7 SA-7 – User-Installed Software – WITHDRAWN Incorporated into CM-11 and SI-7.........................................15510.16.8 SA-8 – Software Engineering Principles...........................................................................................................15510.16.9 SA-9 – External Information System Services (- Standalone and CRN Overlay)...............................................155
10.16.9.1 SA-9(1) – External Information System Services: Risk Assessment/Organizational Approvals (- Standalone Overlay) 15610.16.9.2 SA-9(2) – External Information System Services: Identification of Functions/Ports/Protocols/Services – NEW BASELINE................................................................................................................................................................15610.16.9.3 SA-9(5) – External Information System Services: Processing, Storage, and Service Location (+ Privacy Overlay) – NEW...............................................................................................................................................................157
10.16.10 SA-10 – Developer Configuration Management..............................................................................................157
xii
10.16.10.1 SA-10(1) – Developer Configuration Management: Software/Firmware Integrity Verification.................15810.16.11 SA-11 – Developer Security Testing and Evaluation........................................................................................15810.16.12 SA-12 – Supply Chain Protection.....................................................................................................................15910.16.13 SA-15 – Development Process, Standards and Tools – NEW BASELINE...........................................................159
10.16.13.1 SA-15(9) – Development Process, Standards and Tools: Use of Live Data (+ Classified Overlay) – NEW BASELINE 160
10.16.14 SA-17 – Developer Security Architecture and Design– NEW...........................................................................16010.16.15 SA-19 – Component Authenticity – NEW BASELINE........................................................................................161
10.17 Systems and Communications Protection (SC).........................................................................................................16210.17.1 SC-1 – Systems and Communications Protection Policy and Procedures........................................................16210.17.2 SC-2 – Application Partitioning (+ Classified Overlay) (- Standalone)...............................................................16210.17.3 SC-3 – Security Function Isolation (+ Classified Overlay) – NEW......................................................................16210.17.4 SC-4 – Information in Shared Resources (-Standalone Overlay)......................................................................16210.17.5 SC-5 – Denial of Service Protection (- Standalone and CRN Overlay)..............................................................16310.17.6 SC-5(1) – Denial of Service Protection: Restrict Internal Users (- Standalone and CRN Overlay)....................16310.17.7 SC-7 – Boundary Protection (- Standalone and CRN Overlay)..........................................................................164
10.17.7.1 SC-7(3) – Boundary Protection: Access Points (- Standalone and CRN Overlay)........................................16410.17.7.2 SC-7(4) – Boundary Protection: External Telecommunications Services (- Standalone and CRN Overlay).16510.17.7.3 SC-7(5) – Boundary Protection: Deny by Default/Allow by Exception (- Standalone and CRN Overlay).....16510.17.7.4 SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote Devices (- Standalone and CRN Overlay) 16610.17.7.5 SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy Servers (- Standalone and CRN Overlay) 16610.17.7.6 SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications Traffic (- Standalone and CRN Overlay) – NEW BASELINE.......................................................................................................................................16710.17.7.7 SC-7(10) – Boundary Protection: Prevent Unauthorized Exfiltration (- Standalone and CRN Overlay).....16710.17.7.8 SC-7(11) – Boundary Protection: Restrict Incoming Communications Traffic (- Standalone and CRN Overlay)
16710.17.7.9 SC-7(12) – Boundary Protection: Host-Based Protection (- Standalone and CRN Overlay).........................16810.17.7.10 SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support Components (- Standalone and CRN Overlay).........................................................................................................................................16810.17.7.11 SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical Connections (- Standalone Overlay) 16910.17.7.12 SC-7(17) – Boundary Protection: Automated Enforcement of Protocol Formats.......................................169
10.17.8 SC-8 – Transmission Confidentiality and Integrity (+ Classified)......................................................................17010.17.8.1 SC-8(1) – Transmission Confidentiality and Integrity: Cryptographic or Alternate Physical Protection (+ Classified ) – NEW BASELINE...........................................................................................................................................17010.17.8.2 SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission Handling (+ Classified Overlay) (- Standalone Overlay) – NEW BASELINE.........................................................................................................................17110.17.8.3 SC-8(3) – Transmission Confidentiality and Integrity: Cryptographic Protection for Message Externals (+ Classified Overlay) – NEW...............................................................................................................................................17110.17.8.4 SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize Communications (+ Classified Overlay) – NEW...............................................................................................................................................................171
10.17.9 SC-10 – Network Disconnect (- Standalone & CRN Overlay)............................................................................17210.17.10 SC-12 – Cryptographic Key Establishment and Management..........................................................................172
10.17.10.1 SC-12(2) – Cryptographic Key Establishment and Management/Symmetric Keys (+ Classified Overlay) – NEW 17210.17.10.2 SC-12(3) – Cryptographic Key Establishment and Management/Asymmetric Keys (+ Classified Overlay) – NEW 173
10.17.11 SC-13 – Cryptographic Protection (+ Classified)..............................................................................................17310.17.11.1 SC-13(3) – Cryptographic Protection: Individuals without Formal Access Approvals – WITHDRAWN Incorporated into SC-13..................................................................................................................................................174
10.17.12 SC-14 – Public Access Protections WITHDRAWN Incorporated into multiple controls....................................17410.17.13 SC-15 – Collaborative Computing Devices (- Standalone & CRN Overlay).......................................................174
10.17.13.1 SC-15(2) – Collaborated Computing Devices: Blocking Inbound/Outbound Communications Traffic WITHDRAWN Incorporated into SC-7.............................................................................................................................17510.17.13.2 SC-15(3) – Collaborative Computing Devices: Disabling/Removal in Secure Work Areas (+ Classified Overlay) (- Standalone & CRN Overlay) – NEW...............................................................................................................175
xiii
10.17.14 SC-17 – Public Key Infrastructure Certificates (- Standalone Overlay).............................................................17510.17.15 SC-18 – Mobile Code.......................................................................................................................................175
10.17.15.1 SC-18(1) – Mobile Code: Identify Unacceptable Code/Take Corrective Actions........................................17610.17.15.2 SC-18(2) – Mobile Code: Acquisition/Development/Use...........................................................................17610.17.15.3 SC-18(3) – Mobile Code: Prevent Downloading/Execution........................................................................17710.17.15.4 SC-18(4) – Mobile Code: Prevent Automatic Execution.............................................................................177
10.17.16 SC-19 – Voice over Internet Protocol (VoIP) (- Standalone & CRN Overlay)....................................................17810.17.17 SC-20 – Secure Name/Address Resolution Service (Authoritative Source) (- Standalone & CRN Overlay)......178
10.17.17.1 SC-20(1) – Secure Name/Address Resolution Service (Authoritative Source): Child Subspaces WITHDRAWN Incorporated into SC-20..................................................................................................................................................179
10.17.18 SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver) (- Standalone & CRN Overlay) 17910.17.19 SC-22 – Architecture and Provisioning for Name/Address Resolution Service (- Standalone & CRN Overlay).17910.17.20 SC-23 – Session Authenticity (- Standalone Overlay).......................................................................................179
10.17.20.1 SC-23(1) – Session Authenticity: Invalidate Session Identifiers at Logout (- Standalone Overlay)..............18010.17.20.2 SC-23(2) – Session Authenticity: User Initiated Logouts/Message Displays WITHDRAWN Incorporated into AC-12(1) 18010.17.20.3 SC-23(3) – Session Authenticity: Unique Session Identifies with Randomization (- Standalone Overlay). .18010.17.20.4 SC-23(5) – Session Authenticity: Allowed Certificate Authorities (- Standalone Overlay) – NEW BASELINE
18110.17.21 SC-28 – Protection of Information at Rest.......................................................................................................181
10.17.21.1 SC-28(1) – Protection of Information at Rest: Cryptographic Protection (+Classified)................................18110.17.22 SC-38 – Operations Security – NEW BASELINE................................................................................................18210.17.23 SC-39 – Process Isolation – NEW BASELINE.....................................................................................................18210.17.24 SC-42 – Sensor Capability and Data (+ Classified Overlay) – NEW...................................................................183
10.17.24.1 SC-42(3 – Sensor Capability and Data: Prohibit Use of Services (+ Classified Overlay) – NEW...................18310.18 System and Information Integrity (SI).......................................................................................................................184
10.18.1 SI-1 – System and Information Integrity Policy and Procedures......................................................................18410.18.2 SI-2 – Flaw Remediation..................................................................................................................................184
10.18.2.1 SI-2(1) – Flaw Remediation: Central Management – NEW BASELINE........................................................18410.18.2.2 SI-2(2) – Flaw Remediation: Automated Flaw Remediation Status............................................................18510.18.2.3 SI-2(3) – Flaw Remediation: Time to Remediate Flaws/Benchmarks for Corrective Actions (- Standalone Overlay) 18510.18.2.4 SI-2(4) – Flaw Remediation: Automated Patch Management Tools WITHDRAWN Incorporated into SI-2 18610.18.2.5 SI-2(6) – Flaw Remediation: Removal of Previous Versions of Software/Firmware – NEW BASELINE.......186
10.18.3 SI-3 – Malicious Code Protection.....................................................................................................................18610.18.3.1 SI-3(1) – Malicious Code Protection: Central Management (- Standalone Overlay)...................................18710.18.3.2 SI-3(2) – Malicious Code Protection: Automatic Updates (- Standalone Overlay).......................................18710.18.3.3 SI-3(3) – Malicious Code Protection: Non-Privileged Users WITHDRAWN Incorporated into AC-6(10)......18710.18.3.4 SI-3(5) – Malicious Code Protection: Portable Storage Devices – WITHDRAWN Incorporated into MP-7 18710.18.3.5 SI-3(10) – Malicious Code Protection: Malicious Code Analysis – NEW BASELINE......................................187
10.18.4 SI-4 – Information System Monitoring............................................................................................................18810.18.4.1 SI-4(1) – Information System Monitoring: System-Wide Intrusion Detection System (- Standalone Overlay)
18910.18.4.2 SI-4(2) – Information System Monitoring: Automated Tools for Real-Time Analysis (- Standalone Overlay)
18910.18.4.3 SI-4(4) – Information System Monitoring: Inbound and Outbound Communications Traffic (- Standalone Overlay) 18910.18.4.4 SI-4(5) – Information System Monitoring: System Generated Alerts (- Standalone Overlay)....................19010.18.4.5 SI-4(6) – Information System Monitoring: Restrict Non-Privileged Users WITHDRAWN Incorporated into AC-6(10) 19010.18.4.6 SI-4(8) – Information System Monitoring: Protection of Monitoring Information WITHDRAWN Incorporated into SI-4.....................................................................................................................................................19010.18.4.7 SI-4(10) – Information System Monitoring: Visibility of Encrypted Communications (- Standalone Overlay) – NEW BASELINE.............................................................................................................................................................19010.18.4.8 SI-4(11) – Information System Monitoring: Analyze Communications Traffic Anomalies (- Standalone & CRN Overlay)...................................................................................................................................................................19110.18.4.9 SI-4(12) – Information System Monitoring: Automated Alerts (- Standalone Overlay)..............................191
xiv
10.18.4.10 SI-4(14) – Information System Monitoring: Wireless Intrusion Detection (- Standalone Overlay).............19210.18.4.11 SI-4(15) – Information System Monitoring: Wireless to Wireline Communications (- Standalone Overlay)
19210.18.4.12 SI-4(16) – Information System Monitoring: Correlate Monitoring Information (- Standalone Overlay).....19210.18.4.13 SI-4(19) – Information System Monitoring: Individuals Posing Greater Risk (+ Classified Overlay) – NEW BASELINE 19310.18.4.14 SI-4(20) – Information System Monitoring: Privileged User – NEW BASELINE...........................................19310.18.4.15 SI-4(21) – Information System Monitoring: Probationary Periods (+ Classified Overlay) - NEW................19410.18.4.16 SI-4(22) – Information System Monitoring: Unauthorized Network Services (- Standalone Overlay) – NEW BASELINE 19410.18.4.17 SI-4(23) – Information System Monitoring: Host-Based Devices (- Standalone Overlay) – NEW BASELINE
19410.18.5 SI-5 – Security Alerts, Advisories, and Directives.............................................................................................195
10.18.5.1 SI-7(14) – Software, Firmware, and Information Integrity: Binary or Machine Executable Code – NEW BASELINE 195
10.18.6 SI-10 – Information Input Validation (- Standalone Overlay) – NEW BASELINE..............................................19610.18.7 SI-11 – Error Handling.....................................................................................................................................19610.18.8 SI-12 – Information Handling and Retention...................................................................................................196
10.19 Program Management (PM) – NEW BASELINE.........................................................................................................19810.19.1 PM-2 – Senior Information Security Officer.....................................................................................................19810.19.2 PM-3 – Information Security Resources..........................................................................................................19910.19.3 PM-4 – Plan of Action and Milestones Process...............................................................................................19910.19.4 PM-5 – Information System Inventory............................................................................................................20010.19.5 PM-6 – Information Security Measures of Performance.................................................................................20010.19.6 PM-7 – Enterprise Architecture.......................................................................................................................20010.19.7 PM-8 – Critical Infrastructure Plan..................................................................................................................20110.19.8 PM-9 – Risk Management Strategy.................................................................................................................20110.19.9 PM-10 – Security Authorization Process.........................................................................................................20210.19.10 PM-11 – Mission/Business Process Definition.................................................................................................20210.19.11 PM-12 – Insider Threat Program.....................................................................................................................20210.19.12 PM-13 – Information Security Workforce.......................................................................................................20310.19.13 PM-14 – Testing, Training, and Monitoring.....................................................................................................20310.19.14 PM-15 – Contact with Security Groups and Associations................................................................................20410.19.15 PM-16 – Threat Awareness Program...............................................................................................................204
xv
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
1 BACKGROUNDWith the transition to Risk Management Framework (RMF) within NISP, all systems requiring authorization or re-authorization after March 2017 will follow the RMF methodology for Local Area Networks, Wide Area Networks and Interconnected Systems. 2. This document is based on the DSS Assessment and Authorization Manual (DAAPM)
For the purposes of Information Systems (IS), this SSP incorporates the content of the Security Controls Traceability Matrix (SCTM) and an IA SOP.
2 APPLICABILITYThis template is applicable to all Information Systems (IS) that store, process and/or transmit classified information.
3 REFERENCESThis document is based on the following references:
NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4, Apr 13 CNSSI 1253, Security Categorization and Control Selection for National Security Systems, 12 May 14
4 RECIPROCITYReciprocity is defined as a “Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.” [CNSSI 4009]
This agreement, however, does not imply blind acceptance. The body of evidence used for assessments of the subject system will be provided to the other participant(s) who have a vested interest in establishing a mutual agreement. The receiving party will review the assessment evidence (e.g., system security plan (SSP), test plans, test procedures, test reports, exceptions) and determine if there are any deltas in the evidence, (e.g., baseline/overlay controls that were tailored, a test item that was omitted), and identify items that may require negotiations.
Reciprocity means that the system(s) will not be retested or undergo another full assessment. In the spirit of reciprocity, the existing assessments will be accepted; only controls, test items or other pertinent items that were initially omitted are subject to evaluation/testing to assure the system meets any additional protections required for a successful reciprocal agreement.
1
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
5 SYSTEM IDENTIFICATIONINSTRUCTIONS (DELETE IN FINAL DOCUMENT): All of the pre-printed text instructions, e.g., sentences that start with insert, summarize or click here to insert text are content boxes. Click on the words to open the box and enter the text.
5.1 SYSTEM OVERVIEWSystem Name Click here to enter text.Unique Identifier Insert the organization defined unique identifier assigned to the system (e.g. CASTS
registration number). (If no number is assigned, leave blank.Type of Information System (Check One)
Standalone Multi-User Standalone Closed Restricted Network (Local Area Network) Wide Area Network Interconnected System – Contractor-to-Contractor Interconnected System – Contractor-to-Government Other:
Type of Plan: SSP MSSP (Type Authorization)
The system is in the life-cycle phase noted in the table below.
System Status (Check One)Operational The system is operating and in production.
Under Development The system is being designed, developed, or implemented
Major Modification The system is undergoing a major change, development, or transition.
Other Explain: Click here to enter text.
5.2 SECURITY CATEGORIZATION
5.2.1 Summary Results and RationaleSummarize information in the sections below; e.g., System X is categorized as a Moderate-Low-Low system processing xxx information types. A risk analysis indicated that no risk adjustment tailoring was required.
5.2.2 Categorization Detailed ResultsInstruction (DELETE IN FINAL DOCUMENT): Record your information types in the table that follows. Record the sensitivity level for Confidentiality, Integrity, and Availability as High, Moderate, or Low. Add more rows as needed to add more information types. Use NIST SP 800-60 Guide for Mapping Types of Information and Systems to Security Categories, Volumes I & II, Revision 1 for guidance.
Information Impact Categorization CNSSI 1253 Reference:DAA PM Reference:
2.1.1
Information Impact CategorizationInformation Type Confidentiality Impact Integrity Impact Availability Impact Authority<e.g., Administrative> Choose an item. Choose an
item.Choose an item.
Choose an item.Choose an item.
Choose an item.e.g., ISO
<e.g., Engineering> Choose an item. Choose an item. Choose an item. e.g., .ISOClick here to enter text. Choose an item. Choose an item. Choose an item. e.g., SCG
5.2.2.1 System Security Impact CategorizationInstruction (DELETE IN FINAL DOCUMENT): Based on the information types in the above table, select the highest value for each information type and enter into the table below.CNSSI 1253 Reference: 2.1.2
1
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
DAA PM Reference:Final System Impact CategorizationConfidentiality Impact Integrity Impact Availability Impact AuthorityChoose an item. Choose an
item.Choose an item.Choose an item.Choose an item.
Choose an item.e.g., ISO, SCG
5.2.2.2 Risk Adjusted System Impact CategorizationCNSSI 1253 Reference:DAA PM Reference:
2.1.32.1.3
Risk Adjusted System Impact CategorizationConfidentiality Impact Integrity Impact Availability Impact AuthorityChoose an item. Choose an item.Choose an
item.Choose an item.Choose an item.
Choose an item.e.g., AO, REF, ISO, SCG
5.2.3 Control SelectionInstruction (DELETE IN FINAL DOCUMENT): Following ISO, SCA, and AO discussions on control selection, identify the applicable baseline and overlays as appropriate. Fill in the appropriate baseline and overlay(s). The Accessibility, CRN, Classified, Privacy, and Standalone overlays are included and individual controls added/removed by the overlays are identified and may require action.DAA PM Reference:
Baseline:
e.g., Moderate-Low-Low (MLL)Overlays (Select/Add all that apply):X Closed Restricted Network /Local Area Network
X Classified Information Overlay
X Standalone
6 KEY ROLES AND RESPONSIBILITIESInstruction (DELETE IN FINAL DOCUMENT): Add, modify or delete the roles and responsibilities below as required for the specific organization. Detailed information regarding the requirements for each of these roles is further defined in the DAA PM.
6.1 RISK MANAGEMENTDelegated Authorizing Official (DAO)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text. Phone: Click here to enter text.Email: Click here to enter text.
Delegated AO-Representative (DAO-R)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text. Phone: Click here to enter text.Email: Click here to enter text.
System Certifying Authority (SCA)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text. Phone: Click here to enter text.Email: Click here to enter text.
2
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Information Owner/StewardName: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text. Phone: Click here to enter text.Email: Click here to enter text.
Information System Owner (ISO)/Program Manager (PM)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text. Phone: Click here to enter text.Email: Click here to enter text.
6.2 IA SUPPORT PERSONNELInstruction (DELETE IN FINAL DOCUMENT): The site maintains copies of the IA Appointment Letters for all IA Personnel on file available for review. Additional IA personnel, such as the Information Assurance Support Officer (IASO) may be added.
Information System Security Manager (ISSM)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text. Phone: Click here to enter text.Email: Click here to enter text.8570 Profile Click here to enter text.8570 Baseline Certification Click here to enter text.
System Administrator/Network Administrator (SA/NA)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text. Phone: Click here to enter text.Email: Click here to enter text.
Data Transfer Agent (DTA)/Trusted DownloadName: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text. Phone: Click here to enter text.Email: Click here to enter text.Transfer Risk Level (High or Low): Click here to enter text.
3
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
7 SYSTEM ENVIRONMENT 7.1 PHYSICAL ENVIRONMENT
NIST 800-53/DAA PM Reference: PE-3Is the secure facility accredited or approved to process and store information at the level covered by this SSP?
Yes No
Who accredited or approved the facility? Organization: Name:Indicate if the facility is a Closed, or Restricted Area. Closed Date of Approval Click here to enter text.
Restricted Date of Approval Click here to enter text.
Both Date of Approval Click here to enter text.State the classification level approved for the facility, as well as any caveats applied to the information.
Secret Top Secret
NATO RD
Others COMSEC
Is the system approved for unattended processing? Yes No
Is the facility approved for 24-hour operation? Yes No
Is the facility approved for Open or Closed storage? Opened Closed
List all items approved for Open Storage: Click here to enter text.List all items restricted to Closed Storage: Click here to enter text.Are classified and lower classified systems co-located within the facility? (If yes, complete the box to the right.)
NIPRNet/NMCI/Internet SIPRNet JWICS
Others _______________ _______________
If there are co-located systems, what is the date of their ATO? (Retain copies of the co-located system ATOs on file.) Click here to enter text.
System Click here to enter text.System Click here to enter text.
OthersClick here to enter text._______________
Is a PDS required to support this connection Yes No
Approval Date:
7.2 FACILITY/SYSTEM LAYOUTInsert diagram or include as an attachment.
7.3 PERSONNEL AUTHORIZATIONSNIST 800-53, Rev. 4/DAA PM Reference: AC-2
Minimum Clearance Minimum Access Citizenship Foreign National
Top Secret Secret
SAP SCI Both
Yes No
7.4 SYSTEM CLASSIFICATION LEVEL(S) & COMPARTMENT(S)Classification Caveats Compartments
Secret Top Secret
None NATO RD
<XXX> <XXX> <XXX>
4
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
7.5 UNIQUE DATA HANDLING REQUIREMENTSInstruction (DELETE IN FINAL DOCUMENT): Identify any unique handling requirements, e.g. NATO, NOFORN, NOCONTR, etc.>Identify handling requirements/caveats.
7.6 INFORMATION ACCESS POLICIESNIST 800-53, Rev. 4/DAA PM Reference:
AC-2, 3
Instruction (DELETE IN FINAL DOCUMENT): Insert or reference organizational or system-specific user access policies relevant to information types maintained on the information system. If appropriate, policies may be included in or placed in an appendix to the SSP. Access controls will be enforced or adjudicated through technical means to protect the information types (e.g. DAC/MAC).Insert any additional organizational or system-specific user access policies.
8 GENERAL SYSTEM DESCRIPTION/PURPOSE8.1 SYSTEM DESCRIPTIONInstruction (DELETE IN FINAL DOCUMENT): Provide a summary description of the system, its purpose and function; include high level description of the data flow, interconnected systems, operating system(s), key components, perimeter, information system boundary, and user(s). Ensure appropriate classification guidance is provided.NIST 800-53, Rev. 4/DAA PM Reference: PL-2Enter System Description.
8.2 SYSTEM ARCHITECTUREInstruction (DELETE IN FINAL DOCUMENT): Describe the system architecture. As needed, show the architecture within the authorization boundary (e.g. servers, workstations, printers, etc.) in diagram form and place it in Appendix A. Either reference the location of the hardware and software lists or insert in Appendices B and C.Describe System Architecture.
8.3 FUNCTIONAL ARCHITECTUREInstruction (DELETE IN FINAL DOCUMENT): Describe or provide a diagram of the functional architecture of the system, e.g. Data Flow.Describe functional architecture; e.g., data flow. Insert diagram if appropriate.
8.4 USER ROLES AND ACCESS PRIVILEGESInstruction (DELETE IN FINAL DOCUMENT): List roles and privileges (e.g. Privileged User, General User, Database Administrator, and Data Transfer Agent).
Role Name Authorized Privileges and Functions Performed
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
9 INTERCONNECTIONS9.1 DIRECT NETWORK CONNECTIONS**NOTE: Direct network connections with external organizations, whether internal or external to the facility must be addressed in an MOU/MOA and/or ISA. Indicate in Section 5.3.
NIST 800-53, Rev. 4/DAA PM Reference: PL-2, AC-17, CA-3 This system does not connect to any other system.
This system connects to following system(s):SYSTEM NAME ORGANIZATION CLASSIFICATION/ ATO ISSUED BY DATE OF ATO
5
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
COMPARTMENTS
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
9.2 INDIRECT CONNECTIONS/INFORMATION SHARINGInstruction (DELETE IN FINAL DOCUMENT): This section refers to information received through means other than a direct connection, e.g. “Sneaker Net.” Double click on the appropriate check boxes and change the default value to “checked.”
This system does not accept or process data stored on any other systems. i.e. No input from other systems into this system.
This system accepts and processes data stored on media created on the following system(s) as part of its core mission processes: Complete information below.SYSTEM NAME CLASSIFICATION &
COMPARTMENTSACCREDITED BY TRANSFER METHOD
Click here to enter text. Click here to enter text. Click here to enter text. Click here to enter text.Click here to enter text. Click here to enter text. Click here to enter text. Click here to enter text.Click here to enter text. Click here to enter text. Click here to enter text. Click here to enter text.
Data from this system is NOT shared or distributed to any other systems. i.e. No output from this system goes into another system.
Data stored on media created on or used on this information system is distributed for use on the following system(s):SYSTEM NAME CLASSIFICATION &
COMPARTMENTSACCREDITED BY TRANSFER METHOD
Click here to enter text. Click here to enter text. Click here to enter text. Click here to enter text.Click here to enter text. Click here to enter text. Click here to enter text. Click here to enter text.Click here to enter text. Click here to enter text. Click here to enter text. Click here to enter text.
9.3 MEMORANDA OF UNDERSTANDING (MOU), MEMORANDA OF AGREEMENT (MOA), CO-UTILIZATION AGREEMENTS (CUA) AND INTERCONNECTION SECURITY AGREEMENTS (ISA)
Instruction (DELETE IN FINAL DOCUMENT): Copies of the MOUs/MOAs and/or ISA referenced in this table must be available to the SCA for review during the verification and validation testing. NOTE: In the event of more than one MOU/MOA/CUA/ISA, copy table and complete individually for each document.
This information system does not require any MOU/MOA, CUA, or ISA.This information system requires an MOU/MOA, CUA, and/or ISA.
NIST 800-53, Rev. 4/DAA PM Reference: AC-20
Subject of MOU/MOA/CUA/ISA Click here to enter text.Date of MOU/MOA/CUA/ISA Click here to enter text.POC Name Click here to enter text.Organization Click here to enter text.Contact (phone or e-mail) Click here to enter text.
6
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
READ ME FIRST:ALL new Baseline Controls are indicated with NEW BASELINE included in the title.
Overlays are included with guidance regarding possible actions on behalf of the Program. These overlays either add or remove security controls based on the configuration of the information system and the requirements of the Program.
ALL overlays that apply to a specific control are indicated in the Security Control title. A “+” means that the control is required by one or more overlays; a “–“indicates that the control may be tailored out based on one or more overlays.
CRITERIA FOR THE CLASSIFIED OVERLAY: The Classified Overlay applies to ALL classified NSS including DoD and IS and is considered part of the DAA PM baseline control set. Controls identified in the Classified Overlay may not be tailored out and must be addressed in the security control description. All new baseline controls based on the Classified overlay will be indicated with NEW in the control title.
CRITERIA FOR THE STANDALONE OVERLAY: This overlay may be applied for any IS that are operated in a purely (not networked) standalone configuration, e.g., a laptop, standalone PC. Security controls that can be tailored out base on the Standalone Overlay are identified by a (- per Standalone Overlay) in red text in the control name. If control is not relevant to the IS, check the “Tailored Out” box; no further explanation is required. NOTE: Some of the controls can only be tailored out for standalone IS that have ONLY one user. These are specifically identified.
CRITERIA FOR IMPLEMENTATION OF THE ISOLATED LAN/CLOSED RESTRICTED NETWORK OVERLAY: This overlay may be applied for any IS that is operated in an internal network configuration that is not connected in any way to an external network or information system. Security controls that can be uniquely tailored out are identified by a (- CRN Overlay). If control is not relevant to the IS, check the “Tailored Out” box; no further explanation is required.
NOTE FOR ALL OVERLAYS: EACH PROGRAM IS RESPONSIBLE FOR REVIEWING EVERY CONTROL IN THE BASELINE AND DETERMINING IF THAT CONTROL IS APPLICABLE, WHETHER OR NOT AN OVERLAY ALLOWS IT TO BE TAILORED OUT OR RECOMMENDS THE SECURITY CONTROL BE ADDED TO THE BASELINE.
The security impact categorization of the IS for confidentiality will NEVER be lower than Moderate. In some cases, the IS will required enhanced security for confidentiality, integrity and/or availability. In that case, the categorization for one or all categories can be raised (e.g., from Moderate to High or from Low to Moderate, etc.) or the organization may only require the addition of one or more specific security controls at the elevated security impact level. If additional security controls are required, these must be added to the template and marked as “Tailored In.”
There is a short description for each control, which provides guidance on the implementation of that control. In the control descriptions, organizational parameters or specific requirements are indicated in bold print. Please describe the information security control as it is implemented on your system in the white sections in the tables below. You may tailor security controls in/out based on the security impact categorization, applied overlay(s), and adjustments based on the risk assessment. Security controls added uniquely by an overlay are indicated with a plus and the name of the overlay requiring the control. If the control can be tailored out or must be tailored in due to an overlay, this is reflected in red text for each affected control.
The continuous monitoring strategy for each control must be explained. This may include such language as how and when reviews are conductedThe recommended continuous monitoring frequency from the DAAPM is provided; however, this may require adjustment based on Program operational requirements. A change to the recommended frequency requires DAO approval. The CONMON Reporting Spreadsheet (see Continuous Monitoring Guide) is intended to be used to track the most current review date. If the recommended frequency is changed, a justification must be provided in the control implementation description. In the blank for continuous monitoring strategy, indicate the means by which the control will be monitored; e.g., use automated scanning tool, review and update document, download screenshots, etc.
1
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10BASELINE SECURITY CONTROLS10.1 SUMMARY LISTING OF REQUIRED CONTROLS FOR A MODERATE – LOW –
LOW (M-L-L) BASELINEThe following list of controls is based on the DAA PM M-L-L baseline and the CNSSI 1253 NSS Security Control Baseline. These sections include all of the control requirements from the Joint Implementation Guide (DAA PM) to include the organizationally-defined parameters, as well as any additional regulatory requirements. The listing of controls is intended to provide sufficient information required to define the security control requirements. Additional clarification regarding the security control requirements can be found in the DAA PM.The Programs are not required to develop additional policy and procedures to address the -1 security controls. The control requirements are incorporated into the security controls and procedures within the body of the SSP.
10.2 ACCESS CONTROL (AC)10.2.1 AC-1 – Access Control Policy and Procedures Requirements Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Control: The organization:
a. Develops, documents, and disseminates to all authorized responsible personnel as required:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy annually or as policy and procedures dictate changes are required;
2. Access control procedures annually or as policy and procedures dictate changes are required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2 AC-2 – Account Management
Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations are responsible for managing information system accounts to include identifying account types and
2
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
procedures for creating, activating, modifying, and monitoring, disabling, and removing accounts. Definitions for types of accounts can be found in DAA PM - AC-2. All accounts must be reviewed at least annually for changes in such items as staff position, office symbol, contact information, transfer, etc. [AC-2.j] The validation process shall be documented. Disabled accounts shall be terminated/removed within 12 months or after the next review cycle.The organization manages information system accounts and:
Identifies and selects account types (i.e., individual, group, system, application, guest/anonymous, and temporary) as defined by the ISSM.
Click here to enter text.
Assigns account managers for information system accounts
Click here to enter text.
Establishes conditions for group membership Click here to enter text.
Specifies authorized users of the information system, group and role membership, and privileges and other attributes for each account
Click here to enter text.
Requires approvals by the ISSM/ISSO for requests to establish accounts
Click here to enter text.
Creates, enables, modifies, disables and removes information system accounts in accordance with DAAPM
Click here to enter text.
Monitors the use of information system accounts Click here to enter text.
Notifies account managers when (1) accounts are no longer required, (2) when information system users are terminated, transferred, and when (3) individual information system usage or need-to-know/need-to share changes
Click here to enter text.
Authorizes access to the system based on: (1) a valid access authorization; (2) intended system usage; and (3) other attributes as required by the organization or associated missions/business functions
Click here to enter text.
Reviews accounts for compliance with at least annually, if not otherwise defined in formal organizational policy
Click here to enter text.
Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2.1 AC-2 (1) – Account Management: Automated System Account Management (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
3
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
The organization employs automated mechanisms to support the management of information system accounts. The use of automated mechanisms can include using email or text messaging to automatically notify account managers when users are terminated or transferred; to monitor account usage; or to report atypical account usage. When automated mechanisms cannot be used, a manual process must be established and documented and will require explicit DAO approval.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2.2 AC-2(2) – Account Management: Removal of Temporary/Emergency Accounts (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system automatically disables temporary and emergency accounts after not more than 72 hours.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2.3 AC-2(3) – Account Management: Disable Inactive Accounts (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
All password-accessible accounts must be disabled when information system users are terminated, transferred, or no longer require access to the information resource in the performance of their assigned duties. The information system automatically disables inactive accounts after a maximum of 90 days of inactivity. Accounts where the user has lost their security clearance will be disabled immediately.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2.4 AC-2(4) – Account Management: Automated Audit ActionsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
4
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2.5 AC-2(5) – Account Management: Inactivity Logout Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
For any extended absence (more than six hours) and at the end of each workday, users are required to logout of all systems. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2.6 AC-2(7) – Account Management: Role Based Schemes (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS with a single user.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization establishes and administers privileged accounts in accordance with a role-based scheme; monitors privileged role assignments; and disables (or revokes) privileged access when privileged role assignments are no longer appropriate. This control supports insider threat mitigation. Privileged roles also include the auditor and data transfer agent (DTA).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
5
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.2.7 AC-2(9) – Account Management: Restrictions on Use of Shared Groups/Accounts– NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization only permits the use of shared/group accounts that are operationally essential and when explicitly authorized by the DAO. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2.8 AC-2(10) – Account Management: Shared/Group Account Credential Termination – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system terminates shared/group account credential when a member/members leave the group. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2.9 AC-2(12) – Account Management: Active Monitoring/Atypical Usage – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization (a) monitors information system accounts for atypical usage based on Program-unique requirements and (b) reports atypical usage of information system accounts to the ISSM immediately upon detection. This control supports insider threat mitigation.
Click here to enter text.
6
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2.10 AC-2(13) – Account Management: Disable Accounts for High-Risk Individuals– NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization disables accounts of users posing a significant risk immediately or as soon as possible after discovery. See also AU-6. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.3 AC-3 – Access Enforcement
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
All information systems shall enforce approved authorizations for logical access to information and information system resources in accordance with approved access control policies.
Additionally, all information systems shall, at a minimum, enforce a Discretionary Access Control (DAC) policy that:
Allows users to specify and control sharing by named individuals or groups of individuals, or by both
Click here to enter text.
Limits propagation of access rights Click here to enter text.
Includes or excludes access to the granularity of a single user
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.3.1 AC-3(2) – Access Enforcement: Dual Authorization (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring:
7
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization enforces dual authorization for all transfers of data from a classified computer network to removable media.
This includes the technical separation of roles (e.g., DTA and ISSM or designated representative etc.). Only trained Data Transfer Agents (DTAs) are authorized to transfer data from a IS to removable media. Only ISSM and/or designated representatives are authorized to enable permissions to transfer data to removable media. This control supports insider threat mitigation.Data transfer authorization enforcement can be performed by the organization, but should have technical separation of roles to support the organization’s implemented dual authorization process. Example of implementation meeting the spirit of AC-3(2): The organization policy states that appropriately trained Data Transfer/Trusted Download Agents are the only individuals authorized to transfer data from a classified system to removable media and only the ISSM and/or designated representatives are authorized to enable permissions to transfer removable media.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.3.2 AC-3(4) – Access Enforcement: Discretionary Access Control (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with a single user.Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS enforces discretionary access control to include or exclude access to the granularity of a single user who may be granted authorization to
a) Pass information to other subjects or objects;b) Grant privileges to other subjects;c) Change security attributes;d) Choose security attributes for newly created or revised objects; ande) Change rule governing access control when authorized. The assumption is that some user data/information in
organizational information systems is not shareable with other users who have authorized access to the same systems. Address at a minimum: allow uses to specify and control sharing by named individuals or groups; limit propagation of access rights; include or exclude access to the granularity of a single user.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
8
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.3.3 AC-3(6) – Access Enforcement: Protection of User and System Information – WITHDRAWN Incorporated into MP-4 and SC-28
10.2.4 AC-4 – Information Flow EnforcementRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems.
Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers). These devices employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or provide message-filtering capabilities based on content (e.g., using key word searches or document characteristics). Within the environment, information flow control is provided by the infrastructure via the implementation of various boundary protection devices.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.5 AC-5 – Separation of Duties (+ Classified Overlay)Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Insider threat mitigation requirements mandate that system administrators should not also perform security audit administration functions without specific DAO approval and the implementation of compensatory measures. The Data Transfer Agent (DTA) and the TPI Media Custodian shall not be the same individual. The organization:
Separates at a minimum duties of indivuiduals as necessary
Click here to enter text.
Documents separation of duties Click here to enter text.
Defines information system access authorizations to support separation of duties
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.6 AC-6 – Least Privilege (+ Classified Overlay).Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
9
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.The organization enforces the most restrictive set of rights/privileges or access needed by users for the performance of specific tasks. The organization also ensures that users who must access Program information or records containing PII only have access to the information necessary to perform their assigned tasks.For example, system administrators, security administrators, and database administrators perform functions that do not require use of their fully privileged account. They shall, therefore, use a separate general user account and are required to use that account when not performing privileged functions. [AC-6(2)] Individual email accounts should not be used when logged in as a privileged user. Other examples of least privilege include restricting access to audit logs to security auditors, preventing general users from installing software, and/or limiting access to media drives to DTAs that have been formally trained.In accordance with Insider Threat Mitigation Guidance, ISSM will ensure that the number of privileged users is kept to a minimum and conduct an internal review of all privileged users and their associated permissions quarterly and report to the AO annually or if there has been a change in privileged users. Note: DTAs are considered privileged users with limited, specific elevated privileges.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.6.1 AC-6(1) – Least Privilege: Authorize Access to Security FunctionsRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization explicitly authorizes access to systems and/or software that provide security relevant functions (e.g., USB ports, I/O ports, CD/DVD drives, etc.). This control supports insider threat mitigation.All classified information systems must technically enforce restrictions on the ability to write to removable media. By default, all write functionality must be disabled. Whenever access to writable removable media is necessary, the write functionality may be enabled, but this must be logged. After the write functions are completed, the write functionality must again be disabled and logged.Ensure media access is audited as indicated in AU-2.a. Limiting access to security functions to a limited set of authorized personnel reduces the number of individuals able to perform security functions, such as configuring permissions, setting audit logs, etc. At a minimum, all IS must technically enforce restrictions on the ability to write to removable media; e.g., all CD/DVD write functionality must be disabled by default and enabled only when required for the execution of an approved data transfer.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.6.2 AC-6(2) – Least Privilege: Non-Privileged Access for Non-Security Functions This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information. Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires that users of information system accounts, or roles, with access to privileged functions use non-privileged accounts, or roles when accessing other system functions, and if feasible, audits any use of privileged accounts or roles for such functions. They shall, therefore, use a separate general user account and are required to use that account when not performing privileged functions. Requiring users with elevated privileges to use separate accounts enables more accurate audit of privileged user actions. Organizations should also establish a separate privileged account specific to DTA activities. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.6.3 AC-6(5) – Least Privilege: Privileged AccountsRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization limits privileged user accounts to the absolute minimum number of privileged users needed to manage the system. In addition, super-user/root accounts shall be limited to the maximum extent possible. For example, not all privileged users will be granted full super-user/root access.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.6.4 AC-6(7) – Least Privilege: Review of User Privileges (+ Classified Overlay) (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS with a single user.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The Presidential Memo, National Insider Threat Policy and Minimum Standards for Insider Threat Programs, November 21, 2012, and DoDD 5205.16, The DoD Insider Threat Program, 30 Sep 2014, require that organizations develop insider threat programs to include reporting the status of privileged users (e.g., total number, additions, deletions) on a quarterly basis.
11
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.Programs will report to the Special Programs Office.The organization:
Reviews at least annually the privileges assigned to privileged user accounts to include the DTA to validate the need for such privileges
Click here to enter text.
Reassigns or removes privileges, if necessary to correctly reflect organizational mission/business needs
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.6.5 AC-6(8) – Least Privilege: Privilege Levels for Code Execution – NEW BASELINERecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system prevents all software applications/programs from executing at higher levels than users executing the application/program.Organizations shall maintain inventory of software in use and mechanism used to enforce and ensure this control.Example: To maintain system integrity most systems restrict the ability of an application to install other software (including reinstalling itself). Windows users (from Vista on) are familiar with User Account Control (UAC) popup or the need to right click and "Run as Administrator" in order to install an application. Linux users are familiar with a "su" or "sudo" to root privilege to install applications.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.6.6 AC-6(9) – Least Privilege: Auditing Use of Privileged Functions – NEW BASELINERecommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system audits the execution of privileged functions.
Privileged functions have elevated permissions to access, or grant access to Program information and/or PII. Accountability requires the ability to detect, trace, and audit privileged functions. The information system prevents all applications/programs from executing at higher levels than users executing the application/program. This control supports insider threat mitigation.
Click here to enter text.
12
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.6.7 AC-6(10) – Least Privilege: Prohibit Non-Privileged Users from Executing Privileged Functions – NEW BASELINE
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasuresThis control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.7 AC-7 – Unsuccessful Login Attempts Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system:
Enforces a limit of maximum of three (3) consecutive invalid logon attempts by a user during a fifteen (15) minute time period
Click here to enter text.
Automatically locks the account/node until released by an administrator when the account is supported locally; or if not supported locally, after a period of not less than 15 minutes when the maximum number of unsuccessful attempts is exceeded. (Includes the requirements of AC-7(1))
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.8 AC-8 – System Use NotificationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
13
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Common System Specific Hybrid (Common and System Specific)Notice and Consent Banners: “Standard mandatory notice and consent banners must be displayed at logon to all ISs and standard mandatory consent notice and consent provisions will be included in all IS user agreements in accordance with applicable security controls and implementation procedures.” The most current required text for the banner and user agreements is listed within the DAAPM.The information system:
Displays to users the DoD Information System Standard Consent Banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: Users are accessing a U.S. Government information system; Information system usage may be monitored, recorded, and subject to audit; Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and Use of the information system indicates consent to monitoring and recording; Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions by clicking on a box indicating “OK” to log on to or to further access the information system
Click here to enter text.
For publicly accessible systems: Displays system use information and prevents further activity on the information system unless and until the user takes positive action to acknowledge agreement by clicking on a box indicating “OK”; Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and Includes a description of the authorized uses of the system.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.9 AC-10 – Concurrent Session Control (- Standalone Overlay) – NEW BASELINEAfter a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system limits the number of concurrent sessions for each user to a maximum of three (3) sessions. The concurrent sessions can be defined globally, by account type (e.g., privileged user), account or combination. This control may require 3rd party software of development of a script.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
14
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.10 AC-11 – Session Lock (+ Classified)This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
NOTE: Operational considerations may require exceptions to this requirement. Exceptions must be approved in writing by the DAO or designee. Session locks are not authorized in lieu of logout procedures. This control supports insider threat mitigation.Session locks (aka screen locks) shall be configured to require authentication for reentry into the system. Systems supporting token-based authentication shall immediately lock when the token is removed. This control also addresses unattended processing, which must be identified in the SSP specifying the functions and/or mission related tasks that must run as unattended processes.Unattended Processing: Unattended processing is defined as automated processes executed/running on a user’s behalf while no users are physically present in the area/facility. Unattended processes generally run after hours during the week or on weekends. Automated processes may include IT administrative functions (e.g., backups, scans) as well as mission-related tasks requiring additional network resources, e.g., executing complex algorithms. Open storage is approved based on physical accreditation with regard to media, mission need, and risk. Unattended processing is approved by the AO based on system, mission justification, and environment. Unattended processing must be captured in the SSP/SCTM identifying the specific IT administrative functions and/or mission-related tasks that run as unattended processes. If possible, implement screen lock or appropriate prominently displayed signage.The information system:Prevents further access to the system by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user.
Click here to enter text.
Retains the session lock until the user reestablishes access using established identification and authentication procedures
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.10.1 AC-11(1) – Session Lock: Pattern Hiding Displays (+ Classified Overlay)Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
The information system conceals via the session lock, the information previously visible on the display with a publicly viewable image. The information system session lock mechanism, when activated, shall hide screen content using an unclassified pattern or image. This control supports insider threat mitigation.
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
15
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.11 AC-12 – Session Termination – NEW BASELINERecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system [automatically] terminates a user session when the user logs out of the IS or removes the token.
A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.11.1 AC-12(1) – Session Termination: User-Initiated Logouts/Message Displays – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system: (a) provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to information resources and
(b) displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.12 AC-14 – Permitted Actions without Identification or Authentication Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
16
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Common System Specific Hybrid (Common and System Specific)This control addresses situations in which organizations determine that no identification or authentication is required or possible in organizational information systems. The organization may be required to implement compensatory measures. Specific DAO authorization is required.The organization:Identifies to the DAO for authorization any actions no user actions can be performed on the information system without identification or authentication consistent with organizational missions/business functions
Click here to enter text.
Documents and provides supporting rationale in the SSP for the information system, user actions not requiring identification or authentication
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.12.1 AC-14(1) - Permitted Actions without Identification or Authentication: Necessary Uses WITHDRAWN Incorporated into AC-14
10.2.13 AC-16 – Security Attributes (+ Classified) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
For example, the organization: a. Provides the means to associate [Classification level; accesses; and handling caveat] having [Unclassified, Confidential, Secret, Top Secret; Apples, Oranges;, FOUO, NOFORN, etc.] with information in storage, in process, and/or in transmission; b. Ensures that the security attribute associations are made and retained with the information; c. Establishes the permitted [Classification level; accesses; and handling caveat] for [e.g., Apples Network, FMDR LAN]; and d. Determines the permitted [e.g., user cannot select Apples if user selected Unclassified] for each of the established security attributes. Example implementation for a system where all users are formally accessed to all information: a) attributes (clearance, access, PII, etc.) are identified in the headers/footers, paragraph markings, or in the filename; b) files are saved with these attributes; c) and d) see organization-defined values in example (c and d) above.The organization:Provides the means to associate classification and Program caveats based on the Program SCG with information in storage, in process, and/or in transmission
Click here to enter text.
Ensures that the security attribute associations are made and retained with the information
Click here to enter text.
Establishes the permitted attributes (e.g., classification level, accesses, and handling caveat) IAW the SCG for SAR IS
Click here to enter text.
Determines the permitted values for each of the established security attributes
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
17
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.13.1 AC-16(5) – Security Attributes: Attribute Displays for Output Devices (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling, or distribution instructions using human-readable, standard naming conventions.Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.13.2 AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization allows personnel to associate, and maintain the association of the appropriate level of classification, access and/or handling caveats associated with files they create in accordance with the SCG or locally defined security policies. For example, The organization allows the user to select and manage the appropriate classification, access, handling caveats for files (e.g., document, email, image, folder) they create in accordance with SCG or locally defined security policies.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.13.3 AC-16(7) – Security Attributes: Consistent Attribute Interpretation (+ Classified Overlay) (- Standalone Overlay) – NEW
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.
18
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.14 AC-17 – Remote Access (- Standalone & CRN Overlay)After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks (CRN).
Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
In most cases within the Community, access to an extension of an information system at an external location is not considered remote access. For the purpose of this control, system/network administration within the authorization boundary of the system, regardless of physical location, is not considered remote access. All remote access must be approved by the DAO.The organization:
Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed
Click here to enter text.
Authorizes remote access to the information system prior to allowing such connections
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.14.1 AC-17(1) – Remote Access: Automated Monitoring/Control (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system monitors and controls remote access methods. All remote sessions and user activity shall be audited. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.14.2 AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
19
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. This control is considered an NSS best practice.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.14.3 AC-17(3) - Remote Access: Managed Access Control Points (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
All remote accesses shall be routed through a limited number of managed access control points (e.g., via an organizationally managed remote access server, such as a Citrix Server). This control is considered an NSS best practice.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.14.4 AC-17(4) – Remote Access: Privileged Commands/Access (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization: Authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs; and Documents the rationale for such access in the security plan for the information system. This control is considered an NSS best practice.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
20
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.14.5 AC-17(6) – Remote Access: Protection of Information (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.Recommended Continuous Monitoring Frequency: Weekly Program Frequency:
Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. This control is considered an NSS best practice.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.14.6 AC-17(7) – Remote Access: Additional Protection for Security Function Areas WITHDRAWN Incorporated Into AC-3(10)
10.2.14.7 AC-17(8) – Remote Access: Disable Nonsecure Network Protocols WITHDRAWN Incorporated Into CM-7
10.2.14.8 AC-17(9) – Remote Access: Disconnect/Disable Access (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Weekly Program Frequency:
Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization provides the capability to expeditiously disconnect or disable remote access to the information system no later than one hour after notification, 30 minutes of identification of an event or inactivity for low confidentiality or integrity impact; 20 minutes for moderate confidentiality or integrity impact; or 10 minutes for high confidentiality or integrity impact.
Termination of the session shall be verified.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.15 AC-18 – Wireless Access (+ Classified Overlay) (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring:
21
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
This control applies even if no wireless is authorized in the facility. For example: wireless is prohibited and implementation guidance should include that users are instructed/reminded during initial and annual refresher training that wireless access and wireless devices are prohibited [AC-18.a].In certain situations, wireless signals may radiate beyond the confines and control of organization-controlled facilities. As a result, wireless technologies are generally prohibited from use in facilities. Exceptions may include wireless devices without memory that convey no meaningful data (e.g., personal wearable devices, remote control devices for audio/visual presentations and IR and Bluetooth mice). Any exceptions shall be documented and approved by the AO [AC-18.b] to include limiting wireless capabilities within the facility boundary.The risks associated with personally-owned wireless technologies used in medical devices must also be assessed. The ISSM/ISSO will work in concert with the AO, as appropriate, to allow necessary medical devices to the greatest extent possible, yet within the acceptable risk envelope as determined by the AO in coordination with the Information System Owner. Legal Counsel must be contacted prior to non-approval of any medical device.The organization:
Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access
Click here to enter text.
Authorizes wireless access to the information system prior to allowing such connections
Click here to enter text.
Proactively monitor for unauthorized wireless connections, including scanning for unauthorized wireless points at least quarterly
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.15.1 AC-18(1) – Wireless Access: Authentication & Encryption (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
If applicable, the information system protects wireless access to the system using authentication of both users and devices, as appropriate, and encryption. This control is considered an NSS best practice.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
22
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.15.2 AC-18(2) – Wireless Access: Monitoring Unauthorized Connections WITHDRAWN Incorporated Into SI-4
10.2.15.3 AC-18(3) – Wireless Access: Disable Wireless Networking (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. Document and ensure wireless is disabled or removed from devices entering the facility, e.g., smart televisions, portable electronic devices, printers.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.15.4 AC-18(4) – Wireless Access: Restrict Configurations by Users (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities. General users shall be restricted from configuring wireless networking capabilities. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.16 AC-19 – Access Control for Mobile Devices (+ Classified)This MLL baseline control is also required by the classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
23
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Common System Specific Hybrid (Common and System Specific)
The organization:
Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices
Click here to enter text.
Authorizes the connection of mobile devices to organizational information systems
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
10.2.16.1 AC-19(1) – Access Control for Mobile Devices: Use of Writable/Portable Storage Devices WITHDRAWN Incorporated Into MP-7
10.2.16.2 AC-19(2) – Access Control for Mobile Devices: Use of Personally-Owned Portable Storage Devices WITHDRAWN Incorporated Into MP-7
10.2.16.3 AC-19(3) – Access Control for Mobile Devices: Use of Portable Storage Devices with No Identifiable Owner WITHDRAWN Incorporated Into MP-7
10.2.16.4 AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption (+ Privacy Overlay) – NEW BASELINE
This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.
Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Where appropriate, the organization employs encryption INSA or DoD approved) to protect the confidentiality and integrity of information on all mobile devices authorized to connect to the organization’s IS. PEDs that contain classified or controlled unclassified information (CUI) information must be encrypted with a National Security Agency (NSA) or DoD-approved encryption standard.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.17 AC-20 – Use of External Information Systems (+ Classified)This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit information. The control description must include the means by which the organization addresses the implementation of this control.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.Choose an item.Implementation Status:
Implemented PlannedOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
24
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.An external information system may be a standalone or an interconnected system/service. Providers of external information systems should provide the ISSM with an external information system memorandum of understanding (MOU) (e.g., no exchange of resources), or memorandum of agreement (e.g., exchange of resources such as personnel, services, funds), as well as SOP and ATO or approval letter. An external information system MOU/MOA includes information such as the ATO date if applicable, technical concerns (e.g., wireless (Bluetooth, etc.), cameras are turned off, microphones are disabled), resources required (e.g., personnel), and additional system information as required (e.g., classified vs. corporate system). Ensure a co-utilization agreement (CUA) is in place for the facility, if applicable.In those cases where the external system connects to the system, ensure an approved connection agreement is in place with the organization hosting the external information system. This may be accomplished via the establishment of an approved ISA or MOA. [AC- 20(1)(a)]For Support Systems (e.g., card readers, alarm systems) reference PE-2 guidance. Prior to allowing corporate unclassified systems and ISSM/ISSO in coordination with corporate IT ensures endpoint security is appropriately hardened/configured, e.g., wireless and microphones are disabled prior to approving entry.The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:Access the information system from external information systems
Click here to enter text.
Process, store, or transmit organization-controlled information using external information systems
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.17.1 AC-20(1) – Use of External Information Systems: Limits on Authorized Use (+ Classified) (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks. This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the privacy-related implementation of this control.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Authorized individuals are only permitted to use an interconnected External Information System to access the organization’s information systems or to process, store, or transmit organization-controlled information when an approved connection agreement is in place with the organization hosting the External Information System. This may be accomplished via the establishment of an approved ISA. If the interconnecting systems have the same AO, an ISA is not required. This control supports insider threat mitigation.
The organization permits authorized individuals to use an interconnected external information system or to process store or transmit organizational-controlled information only when the organization:
Verifies the implementation of required security controls on the external system as specified in the organizations information security policy and security plan or…
Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.
Click here to enter text.
25
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.17.2 AC-20(2) – Use of External Information Systems: Portable Storage Devices (+ Classified Overlay)
After a relevance determination, this control can be tailored out for closed restricted networks, but must be considered as part of the Classified Overlay.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall limit the use of organization-controlled portable/removable storage media by authorized individuals on External Information Systems. DAO approval is required. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.17.3 AC-20(3) – Use of External Information Systems/Non-Organizationally Owned Systems-Components-Devices (+ Classified) – NEW BASELINE
This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information, unless specifically approved by the AO/DAO.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.17.4 AC-20(4) – Use of External Information Systems: Network Accessible Storage Devices (+ Classified Overlay) (- Standalone Overlay) – NEW
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
26
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Network accessible storage devices in external information systems include, for example, online storage devices in public, hybrid, or community cloud-based systems. The organization prohibits the use of fined network accessible storage devices in external information systems, unless specifically approved by the AO/DAO.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.18 AC-21 – Information Sharing This MLL baseline control .Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
A sharing partner may be an individual or group on the IS, or external to the IS, e.g., sharing is being done in a circumstance where the IS cannot enforce appropriate sharing controls, e.g., VTCs, phone conversations, and fax transmittals. The organization will use an approved mechanism to ensure informed security decisions are made, preventing inadvertent disclosures.
The organization:
Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information
Click here to enter text.
Employs automated or manual review process to assist users in making information sharing/ collaboration decisions
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.19 AC-22 – Publicly Accessible Content)(- Standalone & CRN Overlay)After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
27
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
From an organizational perspective this is a common control. Typically, this control is addressed by a Public Affairs Office or similar entity. Information protected under the Privacy Act and vendor proprietary information are examples of nonpublic information, as is classified information. The information to be posted must be reviewed by the appropriate organizational element (e.g., Special Security Office (SSO), Foreign Disclosure Office (FDO), Legal, Public Affairs) prior to being posted on the organization’s information system. [AC-22.c] [AC-22.d] Unauthorized information, if discovered, shall be removed immediately from the publicly accessible information system and reported and information owner. Reference IR-6.The organization:
Designates individuals authorized to post information onto a publicly accessible information system
Click here to enter text.
Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information
Click here to enter text.
Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included
Click here to enter text.
Reviews the content on the publicly accessible information system for nonpublic information at least quarterly, thereafter, or as new information is posted and removes as required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.20 AC-23 – Data Mining Protection (+ Classified) (- Standalone Overlay) – NEW BASELINE
This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control.After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs data mining prevention and detection for Program information to adequately detect and protect against data mining.
Data mining prevention and protection techniques include limiting responses provided to queries and notifying responsible personnel when an unauthorized or atypical access attempt occurs.
Click here to enter text.
28
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
29
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.3 AWARENESS AND TRAINING (AT)10.3.1 AT-1 – Security Awareness & Training Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
a. Develops, documents, and disseminates to all personnel
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy every 5 years; and
2. Security awareness and training procedures at least annually.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.3.2 AT-2 – Security Awareness (+ Classified)This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the implementation of this control .Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organizations shall provide basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users, when required by system changes, and at least annually thereafter.Security awareness training will be conducted: (a) During in-processing; (b) Site specific information will be briefed based on the mission and requirements of the job and Upon receipt of a USERID and password. The Privileged User, ISSM or their alternate will brief the user on his/her IA responsibilities; (c) Awareness Refresher Training. Classroom, briefings, computer-based training, or seminars will be used and documented to ensure all users comply with IA training requirements; (d)Refresher training and awareness may also be delivered periodically through staff meetings, online delivery systems, or similar venues, and documented in accordance with Security Training Records. [AT-4]; (e) As required, due to policy or
30
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
regulatory violations. See also [IR-4].
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.3.2.1 AT-2(2) – Security Awareness: Insider Threat (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. These can include behaviors such as job dissatisfaction, unexplained financial resources, consistent violations of organizational policies, etc. Carnegie Mellon Software Engineering Institute has been conducting research on insider threat indicators for several years. Additional information on insider threat indicators can be found at: http://www.cert.org/insider-threat/.Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.3.3 AT-3 – Role-Based Security Training
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizing access to the information system or performing assigned duties as part of initial training for
new users; When required by information system changes; and at least annually thereafter.
All users shall receive initial and at least annual General User training, while users assigned to positions requiring privileged access shall receive, in addition, Privileged User training.See the DAA PM for specific content requirements for General and Privileged User Training, as well as the minimum requirements for Assured File Transfer (AFT)/Trusted Download Training.Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
31
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.3.3.1 AT-3(2) – Security Training: Physical Security ControlsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
As appropriate, the organization provides ISSOs with initial and annual training in the employment and operation of physical security mechanisms or when sufficient changes are made to physical security systems. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.3.3.2 AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization provides training to its personnel on indicators in order to recognize of suspicious communications and/or anomalous system behavior (e.g., receiving a suspicious email, an unexpected web communication, etc.).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.3.4 AT-4 – Security Training Records
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Training records shall contain, at a minimum, the following elements:User nameName of trainingDate of training (initial and refresher)Type of training (classroom, one-on-one, online CBT, briefing, etc.)
32
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Initial training records must contain legal signatures, or FIPS 140-2-compliant digital signatures, of users who received the training. Refresher training may be documented through user-initialed attendance rosters, e-mail acknowledgments, USERIDs captured through online content delivery systems, or other similar user acknowledgments. In addition, organizations shall maintain training records.The organization:
Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training
Click here to enter text.
Retains individual training records for at least five (5) years
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.3.5 AT-5 – Contacts with Security Groups and Associations WITHDRAWN Incorporated into PM-5
33
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4 AUDIT AND ACCOUNTABILITY (AU)10.4.1 AU-1 – Audit and Accountability Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.Choose an item.Implementation Status:
Implemented PlannedOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Control: The organization:
a. Develops, documents, and disseminates to ISSO, ISSM, FSO and designated users and auditing personnel.
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy at least annually; and
2. Audit and accountability procedures at least annually.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.2 AU-2 – Auditable Events The information system must be capable of auditing the following events at a minimum:
Auditable Events Success Failure1 Authentication Events to include Logons and Logoffs X X2 Security relevant directories, objects and incidents (e.g. Security Accounts Manager (SAM)
file, audit records, etc.) to include create, access, delete, modify, permission modification, ownership modification.
X X
3 Export/Writes/Downloads to devices/digital media (e.g., CD/DVD, USB, SD) X X4 Imports/Uploads from devices/digital media (e.g., CD/DVD, USB, SD) X5 User and Group Management Events, to include user add, delete, modify, disable, lock and
group/role add, delete, modifyX X
6 Use of Privileged/Special Rights events to include security or audit policy changes and configuration changes
X X
7 Admin or root-level access X X8 Privilege/Role escalation X X9 Audit and security relevant log data access X X10 System reboot, restart and shut down X X11 Print to a device X X12 Print to a file X X
34
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Auditable Events Success Failure13 Application (e.g., Adobe, Firefox, MS Office Suite) initialization X X
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
Determines that the information system is capable at a minimum of auditing the required events (see table above)
Click here to enter text.
Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events
Click here to enter text.
Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents
Click here to enter text.
Determines that the following events are to be audited within the information system. The organization should match the audited events with the Gold Master (AGM).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.2.1 AU-2(3) – Auditable Events: Reviews and UpdatesRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The Organization reviews and updates the audit events annually and based on situational awareness of threats and vulernabilities. The auditable events baseline list, as defined in the tables above, shall be reviewed annually or as policy and procedures dictate changes are required. The review shall include coordination with other organizational entities requiring audit-related information (e.g., Incident Response, Counterintelligence) to enhance mutual support and to help guide the selection of auditable events. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.2.2 AU-2(4) – Audit Events: Privileged Functions WITHDRAWN Incorporated Into AC-6(9)
35
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.3 AU-3 – Content of Audit Records
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.Specifically, audit records shall contain, at a minimum, the following content:
USERID Type of event/action Success or failure of event/action Date Time Terminal or workstation ID Entity that initiated event/action Entity that completed event/action Remote Access
If manual audit collection is approved by the AO, the audit records shall contain, at a minimum, the following content: Date Identification of the user Time the user logs on and off the system Function(s) performed Terminal or Workstation ID
Manual audit logs may be used to record the transmission of any data over a fax connected to a secure voice line (e.g., Secure Terminal Equipment (STE)). Reference DoDM 5205.07-V1, Enclosure 5, para 2.b. These logs will be maintained for one year and must include the following information:
Sender’s name, organization and telephone number Date and time of fax transmission Classification level of the information Recipient’s name, organization and telephone number
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.3.1 AU-3(1) – Content of Audit Records: Additional Audit InformationRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
36
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
The information system generates audit records containing the following additional information, such as
Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest.
Specifically, audit records shall contain, at a minimum, the following content:USERIDType of event/actionSuccess or failure of event/actionDateTimeTerminal or Workstation IDEntity that initiated event/actionEntity that completed event/actionRemote access
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.4 AU-4 – Audit Storage Capacity (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS with a single user.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization allocates audit record storage capacity in accordance with: community best practice and configures auditing to reduce the likelihood of such capacity being exceeded. Proper audit storage capacity is crucial to ensuring the ongoing logging of critical events. The information system must be configured to allocate sufficient log record storage capacity so that it will not become exhausted. See also AU-5(1).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.4.1 AU-4(1) – Audit Storage: Transfer to Alternate Storage (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
37
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system off-loads audit records based on organizational requirements onto a different system or media than the system being audited. Organizations should assign a frequency or threshold capacity when audit records are off-loaded. Related control: AU-9(2).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.5 AU-5 – Response to Audit Processing Failures (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS with a single user. Audit processing failures must be recorded in the audit log (second requirement below).Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
System should alert a system administrator and/or ISSM/ISSO. For IS that are not capable of providing a warning, procedures for a manual method must be documented.Tactical/deployable information systems may be developed without all the features and security controls of standard information systems. Audit requirements for these systems should be reviewed for mission impact. For example, failure of the audit process should not interfere with continued normal operation of a mission critical system.The information system:
Alerts designated organizational officials in the event of an audit processing failure
Click here to enter text.
Takes the following additional actions: at a minimum, record any audit processing failure in the audit log
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.5.1 AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with single users.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system provides a warning to ISSM and IA personnel immediately when allocated audit record storage
38
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
volume reaches [75 percent] of repository maximum audit record storage capacity. This control supports insider threat mitigation.
Auditing processing failures include, e.g. software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.6 AU-6 – Audit Review, Analysis and Reporting (+ Classified Overlay)Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The purpose of the review is to verify all pertinent activity is properly recorded and appropriate action has been taken to correct and report any identified problems. These reviews shall be documented in either an electronic or manual log. Organizationally defined personnel or roles may include ISO, ISSM.The organization:
Reviews and analyzes information system audit at least weekly, or as directed by the AO/DAO for indications of inappropriate or unusual activity
Click here to enter text.
Reports findings to ISO, ISSM and FSO Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.6.1 AU-6(1) – Audit Review, Analysis and Reporting: Process Integration (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems shall integrate and, to the extent possible, automate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
39
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.6.2 AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories - Standalone Overlay
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.6.3 AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.6.4 AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization integrates analysis of audit records with analysis of vulnerability scanning information; performance data; and/or information system monitoring information; and Program-defined data/information collected from other sources to further enhance the ability to identify inappropriate or unusual activity.
Click here to enter text.
40
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.6.5 AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.6.6 AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization correlates information from nontechnical sources with audit information to enhance organization wide situational awareness.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.6.7 AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a
41
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
change in risk based on law enforcement information, intelligence information, or other credible source of information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.7 AU-7 – Audit Reduction and Report Generation (+ Privacy Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the privacy-related implementation of this control.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system provides an audit reduction and report generation capability that:
Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents
Click here to enter text.
Does not alter the original content or time ordering of audit records
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.7.1 AU-7(1) – Audit Reduction and Report Generation: Automatic Processing (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS. Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system provides the capability to sort and search audit records for events of interest based on selectable event criteria.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
42
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.8 AU-8 – Time StampsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system:
Uses internal system clocks to generate time stamps for audit records
Click here to enter text.
Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). Time stamps shall include both date and time.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.8.1 AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems shall synchronize internal information system clocks, at least every 24 hours, with an organization-defined time source, e.g. Domain Controller, US Naval Observatory time server. Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the organizationally defined granularity in AU-8.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.9 AU-9 – Protection of Audit Information (+ Privacy Overlay)This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the privacy-related implementation of this control.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
43
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems shall protect audit information and audit tools from unauthorized access, modification and deletion.
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information shall be handled and protected at the same security level of the information system from which it originated, until reviewed and a determination is made of the actual classification.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.9.1 AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with a single user.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall limit access to audit functionality to only a small subset of privileged users.
Where applicable, access shall be further restricted by distinguishing between privileged users with audit-related privileges and privileged users without audit-related privileges to improve audit integrity. Limiting the users with audit-related privileges helps to mitigate the risk of unauthorized access, modification, and deletion of audit information. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.9.2 AU-10(5) – Non-Repudiation: Digital Signatures (+Intelligence Overlay) – WITHDRAWN Incorporated into SI-7
10.4.10 AU-11 – Audit Record RetentionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall retain audit records for a minimum of five (5) years for IS to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
Click here to enter text.
44
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.10.1 AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs a retention technology to access audit records for the duration of the required retention period to ensure that long-term audit records generated by the information system can be retrieved.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.11 AU-12 – Audit Generation (+ Classified Overlay)Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system:
Provides audit record generation capability for the auditable events defined in AU-2 at all information system and network components;
Click here to enter text.
Allows designated personnel to select which auditable events are to be audited by specific components of the information system
Click here to enter text.
Generates audit records for the list of audited events with the content defined in Content of Audit Records
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.11.1 AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
45
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system compiles audit records from information systems auditable devices into a system-wide (logical or physical) audit trail that is time-correlated to within the tolerance defined in AU-8 and AU 12. The AU-12 (1) organization-defined IS components is a subset of the organization-defined components in AU-12 focused on correlated and centralizing specific audits.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.11.2 AU-12(3) – Audit Generation: Changes by Authorized Individuals – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system provides the capability for organization-defined individual to change the auditing to be performed on information system components based on organizational defined selectable event criteria.
The information system binds the identity of the information producer to the information and provides the means for authorized individuals to determine the identity of the producer of the information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.12 AU-14 – Session Audit (+ Classified Overlay) – NEW BASELINERecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system provides the capability for authorized users to select a user session to capture/record or view/hear. Verify system is capable of performing session audits, but do not initiate without legal counsel and AO involvement. This control may be used to audit file transfers of DTAs.
Click here to enter text.
46
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.12.1 AU-14(1) – Session Audit: System Start-Up – NEW BASELINERecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system initiates session audits at system start-up.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.12.2 AU-14(2) – Session Audit: Capture/Record and Log Content – NEW BASELINERecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system provides the capability for authorized users to capture/record and log content related to a user session.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.12.3 AU-14(3) – Session Audit: Remote Viewing/Listening – NEW BASELINERecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.
Click here to enter text.
47
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.13 AU-16 – Cross-Organizational Training (+ Classified Overlay) – NEW Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs an ISA, SLA or MOA for coordinating audit content among external organizations when audit information is transmitted across organizational boundaries.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.13.1 AU-16(1) – Cross-Organizational Auditing: Identity Preservation (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires that the identity of individuals be preserved in cross-organizational audit trails.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.4.13.2 AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization provides cross-organizational audit information to specifically-identified organizations based on sharing agreements as identified in an ISA, SLA, or MOA.
Click here to enter text.
48
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
49
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.5 SECURITY ASSESSMENT AND AUTHORIZATION (CA)10.5.1 CA-1 – Security Assessment and Authorization Policies & ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Control: The organization:
a. Develops, documents, and disseminates to all personnel.
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy every 5 years and;
2. Security assessment and authorization procedures at least annually.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.2 CA-2 – Security Assessments
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
Develops a security assessment plan that describes the scope of the assessment including (1) security controls and control enhancements under assessment; (2) assessment procedures to be used to determine security control effectiveness; and (3) assessment environment, assessment team, and assessment roles and responsibilities
Security Assessment Plan is provided by DSS.
Assesses the security controls in the information system and its environment of operation at least annually, or as
Click here to enter text.
50
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
stipulated in the organization's continuous monitoring program to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements
Produces a security assessment report that documents the results of the assessment
Click here to enter text.
Provides the results of the security control assessment to the SCA and the DAO/DAO Rep and the ISSM/ISSO.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.2.1 CA-2(1) – Security Assessments: Independent Assessors (- Standalone Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs assessors or assessment teams with AO determined level of impartiality based on the risk assessment for the system to conduct security control assessments. Impartiality implies that the assessors are free from any perceived or actual conflicts of interest with respect to the developmental, operational, and/or management chain of command associated with the information system or to the determination of security control effectiveness. Security assessment services can be obtained from other elements within the organization or can be contracted to a public or private sector entity outside of the organization.
DSS is considered the Inpendent Assessor within NISP Implemenation of the RMF process.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.3 CA-3 – Information System Connections (+ Classified Overlay) (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall identify any connections of an information system to an external information system in the SSP and ensure connections from the information system to external information systems are authorized through the use of an ISA. An external information system is an information system or component that is outside the authorization boundary as defined in the SSP. (Reference AC-20.) If the interconnecting systems have the same AO, an ISA is not required.Organizations typically have no direct control over the security controls or security control effectiveness for these external systems or components. Organizations shall monitor all information system connections on an ongoing basis to verify enforcement of the security requirements. If the interconnecting systems have the same AO, an ISA is not required,
51
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
although one may still be beneficial.When a need arises to connect two different IS operating at different security classification levels, the connection is referred to as a cross domain connection. Any cross domain connection must be identified first to the Service or Agency Cross Domain Support Element (CDSE)The direct connection of any information system to an external network is prohibited. No direct connection means that an information system cannot connect to an external network without the use of an approved boundary protection device (e.g., firewall or cross domain device) that mediates the communication between the system and the network.The organization:
Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements
Click here to enter text.
Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated
Click here to enter text.
Reviews and updates Interconnection Security Agreements annually
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.3.1 CA-3(1) – Information System Connections: Unclassified National Security System Connections (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization prohibits the direct connection of a system processing to an external network without DAO approval and the use of approved boundary protection devices.
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.3.2 CA-3(2) – Information System Connections: Classified National Security System Connections (+ Classified Overlay) (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks .Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring:
52
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization prohibits the direct connection of a classified, national security system processing SAR to an external network without DAO approval and the use of approved boundary protection devices.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.3.3 CA-3(5) – Information System Connections: Restrictions on External Network Connections – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs deny-all, permit-by-exception policy for allowing all systems to connect to external information systems.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.4 CA-5 – Plan of Action & MilestonesRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
POA&Ms are the authoritative management tool used by the organization (including the AO, SCA) to detail specific program and system level security weaknesses, remediation needs, the resources required to implement the plan, and scheduled completion dates.The POA&M is initiated based on findings and recommendations from the SAR, or as a minimum, providing that information via the SAR to the ISO. The ISO shall describe the planned tasks for correcting weaknesses and addressing any residual findings. The POA&M shall identify:Tasks to be accomplished with a recommendation for completion either before or after information system implementation.Resources required to accomplish the tasks.Any milestones in meeting the tasks, to include percentage completed.Scheduled completion dates for the milestones.Status of tasks (completed, ongoing, delayed, planned)
53
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
The POA&M is used by the AO and SCA to monitor the progress in mitigating any findings. POA&M entries are required even when weaknesses or deficiencies found during the assessment are remediated prior to the submission of the authorization package to the AO. Once an authorization is issued with a POA&M, adjusting the approved milestones and scheduled completion dates is not allowed without coordination with AO. (NOTE: For Army, those weaknesses found during the assessment, but remediated on site, will be included in the SAR, but not the POA&M).The organization:
Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system
Click here to enter text.
Updates existing plan of action and milestones at least quarterly based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.5 CA-6 – Security Authorization . Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The ISSM is responsible for ensuring the submission of the Security Authorization Package to the SCA, who, in turn, submits the security authorization package to the AO. When security controls are provided to an organization by an external provider (e.g., through contracts, interagency agreements, lines of business arrangements, licensing agreements, and/or supply chain arrangements), the organization shall ensure the information needed by the AO to make a risk-based decision is made available by the control provider. The security authorization package will contain, at a minimum, the SSP (which includes the ConMon Strategy), the RAR, and POA&M. In addition, the Security Assessment Plan may be required by the AO. The complexity of the RAR and ConMon Strategy vary by system and environment. Guidance on the level of detail required is provided by the AO/SCA.For additional information on the requirements for reciprocity, see the DAA PM control description.The organization:
Assigns a senior-level executive or manager as the authorizing official for the information system.
This control falls under DSS cognizance
Ensures that the authorizing official authorizes the information system for processing before commencing operations
This control falls under DSS cognizance
Updates the security package if the organization and/or system is adequately covered by a continuous monitoring program the Security Authorization may be continuously updated: If not; at least every three (3) years, when significant security breaches occur,
This control falls under DSS cognizance
54
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
whenever there is a significant change to the system, or to the environment in which the system operates
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.6 CA-7 – Continuous Monitoring Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
Establishment of a IA controls and metrics to be monitored
Click here to enter text.
Establishment of monitoring frequency for each security control and frequency of assessments supporting such monitoring
Click here to enter text.
Ongoing security control assessments in accordance with the organizationally-defined security control monitoring frequency
Click here to enter text.
Ongoing security status monitoring of organization-defined metrics in accordance with the organizationally-defined security control monitoring frequency
Click here to enter text.
Correlation and analysis of security-related information generated by assessments and monitoring
Click here to enter text.
Response actions to address results of the analysis of security-related information
Reporting the security state of the organization and the information system to appropriate organizational officials at least annually, or whenever there is a significant change to the system or the environment in which the system operates
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.6.1 CA-7(1) – Continuous Monitoring: Independent Assessment (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
55
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
The organization employs assessors or assessment teams to perform an objective assessment to monitor the security controls in the information system on an ongoing basis.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.5.7 CA-9 – Internal System Connections – NEW BASELINERecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
Authorizes internal connections of information system components to the information system
Click here to enter text.
Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
56
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.6 CONFIGURATION MANAGEMENT (CM)10.6.1 CM-1 – Configuration Management Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization: a. Develops, documents, and disseminates to Authorized designated users: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; andb. Reviews and updates the current: 1. Configuration management policy [annually]; and 2. Configuration management procedures [annually].
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.2 CM-2 – Baseline ConfigurationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations must develop, document, and maintain the current baseline configuration for all information systems under their purview to include, but not limited to, workstations, servers, network components and mobile devices.
A baseline configuration describes the approved configuration of an information system including all hardware (manufacturer, model and serial number or unique identifier), software (manufacturer, name, version number), and firmware components (manufacturer, name and version number), how various security controls are implemented, how the components are interconnected, and the physical and logical locations of each.
Click here to enter text.
57
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.2.1 CM-2(1) – Baseline Configuration: Reviews & UpdatesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization reviews and updates the baseline configuration of the information system.:(a) At least annually;
(b) When required due to baseline configuration changes or as events dictate such as changes due to - Changes that modify the security structure; and
• Operating system changes (e.g., Windows XP to Windows 7).
• Major software version upgrades (e.g., Office 2007 to Office 2010).
• Addition to servers.
• Modification to system ports, protocols and services (PPS).
• Major vulnerabilities discovered after assessment and/or authorization.
• Changes to the confidentiality, integrity, or availability requirements (e.g., changing from a moderate impact level to high impact level).
• Changes in system encryption methods
• Changes in interconnections.
• Changes to operating environment (e.g. External information System introduces media capability; introduction of Voice over internet Protocol (IP) (VOIP) (classified or unclassified; foreign nationals move in next door, system is relocated).
• Significant increased threat increasing the organization/sites residual risk. Minor and non-security relevant hardware and software changes to information systems do not require assessment retesting. These upgrades require an administrative update to the SSP. Examples of changes that only require administrative updates include:
• Non-security relevant software version updates and/or upgrades.
• Addition of identical workstation type with approved image to an authorized system.
• Replacement of failed servers/system components with identical spares
• Replacement of hardware drives/tape back-up.
(c) As an integral part of information system component installations and upgrades.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
58
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.6.2.2 CM-2 (5) – Baseline Configuration: Authorized Software WITHDRAWN Incorporated Into CM-7
10.6.3 CM-3 – Configuration Change ControlRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The Organization must:
a. Determine the types of changes to the information system that are configuration-controlled;
b. Review proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Document configuration change decisions associated with the information system;
d. Implement approved configuration-controlled changes to the information system;
e. Retain records of configuration-controlled changes to the information system for the life of the system.
f. Audit and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinate and provide oversight for configuration change control activities through establishment of a group of individuals with the collective responsibility and authority to review and approve proposed changes to the IS that convenes as defined in the local SSP and when there is a significant change to the system or the environment in which the system operates. This could be a function overseen only by the ISSM and/or ISSO/AO.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.3.1 CM-3(4) – Configuration Change Control: Security RepresentativeRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires an information security representative to be a member of the change board. Usually, the ISSM or his/her designated representative shall serve as a voting member of the CCB, whether informal or formal. Since the ISSM is responsible for halting practices dangerous to security, the ISSM shall have authority to veto any proposed change he/she believes to be detrimental to security. In cases of disagreement, the change shall be postponed while the ISO or ISSM
59
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
contacts the AO’s office for resolution.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.3.2 CM-3(6) – Configuration Change Control: Cryptography Management (+ Classified Overlay) – NEW BASELINE
This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the privacy-related implementation of this control.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that cryptographic mechanisms (public key, private key, etc…)used to provide safeguarding of classified information from unauthorized access or modification is under configuration management policy
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.4 CM-4 – Security Impact Analysis)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.The organization must maintain records of analysis of changes to the information system.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.5 CM-5 – Access Restrictions for ChangeRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
60
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization defines documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.
The organization permits only qualified and authorized individuals (Privileged) to access information systems for purposes of initiating changes, including upgrades and modifications. These access restrictions enforce configuration control to the information system.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.5.1 CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with a single user.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:(a) Limits developing/integrator privileges to change information system components (hardware,
software, and firmware) and system-related information within a production or operational environment; and
(b) Ensure the ISSM Reviews and reevaluates privileges at least annually.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.5.2 CM-5(6) – Access Restrictions for Change: Limit Library PrivilegesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
The organization limits privileges to change software resident within software libraries.
61
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Where possible, organizations shall employ automated mechanisms to enforce access restrictions and support auditing of the enforcement actions. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.6 CM-6 – Configuration SettingsRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall monitor and control changes to the configuration settings. Any detected unauthorized security-relevant configuration changes to an information system must be documented and reported as a possible incident. See also the Incident Response family.The organization:
Establishes and documents configuration settings for information technology products employed within the information system using organizationally approved guides such as DoD SRGs, STIGs, NIST Security Configuration Checklists, Service specific guidance or NSA SCGs; if such a reference document is not available, the following are acceptable in descending order as available: (1) Commercially accepted practices (e.g., SANS) (2) Independent testing results (e.g., ICSA) or (3) Vendor literature that reflect the most restrictive mode consistent with operational requirements
Click here to enter text.
Implements the configuration settings Click here to enter text.
Identifies, documents, and approves any deviations from established configuration settings for all configurable IS components based on mission requirements
Click here to enter text.
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
62
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.6.6.1 CM-6(3) – Configuration Settings: Unauthorized Change Detection WITHDRAWN Incorporated Into SI-7
10.6.6.2 CM-6(4) – Configuration Settings: Conformance Demonstration WITHDRAWN Incorporated Into CM-4
10.6.7 CM-7 – Least FunctionalityRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization must:
a. Document in the security plan, essential capabilities which the information system must provide. The organization configures the information system to provide only those documented essential capabilities.
b. Prohibits or restricts the use of ports, protocols, and services using least functionality. Ports will be denied access by default, and allow access by exception as documented in the system security plan.
Click here to enter text.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.7.1 CM-7(1) – Least Functionality: Periodic Review (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization must:a. Reviews the information system annually to identify unnecessary and/or nonsecure functions, ports, protocols,
and services; and
b. Disables ports, protocols, and services within the information system deemed to be unnecessary (documented in the SSP CM-7)
Click here to enter text.
63
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.7.2 CM-7(2) – Least Functionality: Prevent Program Execution (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system prevents program execution by disabling or uninstalling unused/unnecessary operating system (OS) functionality, protocols, ports, and services, and limiting the software that can be installed and the functionality of that software. Systems prevent program execution from organizationally specific locations: (e.g., removable media, temporary directory, a shared network drive, etc.).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.7.3 CM-7(3) – Least Functionality: Registration Compliance (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall obtain and ensure compliance with the latest guidance regarding ports, protocols, and services. Organizations shall configure information systems and components to disable the capability for automatic execution of code (e.g. AutoRun, AutoPlay). This control supports insider threat mitigation.Supplemental Guidance: Organizations use the registration process to manage, track, and provide oversight for information systems and implemented functions, ports, protocols, and services.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.7.4 CM-7(5) – Least Functionality: Authorized Software/Whitelisting – NEW BASELINERecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
64
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:(a) Identifies develops and maintains an approved software list to execute on the information system.
Change to this list is managed within CM-3.
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs on a monthly basis.
The organization must maintain an audit trail of the review and update.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.8 CM-8 – Information System Component InventoryRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes a local hardware list providing as a minimum, type, make, model, quantity, serial number.
b. Reviews and updates the information system component inventory at least annually
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.8.1 CM-8(2) – Information System Component Inventory: Automated Maintenance (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring:
65
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.8.2 CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization must:
(a) Employ automated mechanisms continuously to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Take the following actions when unauthorized components are detected: Documents and implements a process to take action to disable network access by unauthorized software, hardware, and firmware components, isolate the components, and/or notify the ISSO and ISSM and others as the local organization deems appropriate. The organization must maintain an audit trail of actions taken upon detection of unauthorized software, hardware, and firmware components.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.9 CM-9 – Configuration Management PlanRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization develops, documents, and implements a configuration management plan for the information system that:
66
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Addresses roles, responsibilities, and configuration management processes and procedures
Click here to enter text.
Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items
Click here to enter text.
Defines the configuration items for the information system and places the configuration items under configuration management
Click here to enter text.
Protects the configuration management plan from unauthorized disclosure and modification
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.10 CM-10 – Software Usage Restrictions – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Software use within an environment can make licensing difficult, but system specific controls that are in place to ensure licensing is properly managed are required.The organization:
Uses software and associated documentation in accordance with contract agreements and copyright laws
Click here to enter text.
Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution
Click here to enter text.
Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for unauthorized distribution, display, performance, or reproduction of copyrighted work.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.10.1 CM-10(1) – Software Usage Restrictions: Open Source Software – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization establishes the following restrictions on the use of open source software:
67
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Open source software may only be used if specifically approved by the DAO and the organization meets all licensing issues associated with the software.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.11 CM-11 – User Installed Software – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
a. Establishes policies governing the installation of software by users (e.g. user agreements, CM Plan, etc.)
b. Define and document the methods employed to enforce the software installation policies
c. Monitors policy compliance monthly.
Click here to enter text.
Click here to enter text.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.6.11.1 CM-11(2) – User Installed Software: Prohibit Installation with Privileged Status – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS prohibits user installation of software without explicit privileged status.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
68
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.7 CONTINGENCY PLANNING (CP)10.7.1 CP-1 – Contingency Planning Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control. For additional information on the types of contingency plans, review the section in the DAA PM.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
1. Identify personnel responsible for Contingency Planning. This can be found in the approved System Security Plan. Contingency Planning Process and Procedures will be disseminated to appropriate personnel.
2. Create a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; (ODAA process manual and NIST 800-34 can be used as guidance) and Create procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
Click here to enter text.
Reviews and updates the current:
1.Contingency planning policy at least annually; and
2. Contingency planning procedures at least annually
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.7.2 CP-2 – Contingency Plan – Maybe tailorout based on contract requirements.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
69
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
The availability impact level drives the level of contingency required for the system. The Information System Contingency Plan (ISCP) may be either a separate document specific to the IS, included in the SSP, or may be incorporated into a broader site contingency plan, such as the Business Continuity Plan (BCP) or Continuity of Operations Plan (COOP). ISCP development is the responsibility of the ISO.A key step in developing an ISCP is to conduct a Business Impact Analysis (BIA). The BIA enables the organization to characterize the system components, supported mission/business functions, and interdependencies. The BIA purpose is to correlate the system with the critical mission/business processes and services provided, and based on that information, characterize the consequences of a disruption. The organization can use the BIA results to determine contingency planning requirements and priorities. Results from the BIA can also be incorporated into the analysis and strategy development efforts for the organization’s COOP, BCPs, and DRP. The depth of planning and degree of detail in an ISCP is dependent on the mission criticality of each system should the system become unavailable. A simple statement as to how long a system can remain unavailable before it impacts the mission is the basic foundation of a BIA. The mission owner or ISO determine to what lengths the ISSM/ISSO should go to ensure a contingency plan is in place, e.g., relocation of users/team/crew, hot backup, warm backup, backup media stored offsite, no additional measures beyond backing up the data.The plan must define and describe specific responsibilities of designated staff or positions to facilitate the recovery and/or continuity of essential system functions. The ISCP consists of a comprehensive description of all actions to be taken before, during, and after a disaster or emergency condition along with documented and tested procedures. The ISCP helps to ensure critical resources are available and facilitates the continuity of operations in an emergency situation.The organization Develops a contingency plan that:
Identifies essential missions and business functions and associated contingency requirements;
Click here to enter text.
Provides recovery objectives, restoration priorities, and metrics;
Addresses contingency roles, responsibilities, assigned individuals with contact information;
Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
Coordinates contingency planning activities with incident handling activities
Click here to enter text.
Is reviewed and approved by ISSM/FSO annually Click here to enter text.
Distributes copies of the contingency plan to all stakeholders identified in the contingency plan via an information sharing capability
Click here to enter text.
Coordinates contingency planning activities with incident handling activities;
70
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Reviews the contingency plan for the information system at least annually
Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation,execution, or testing;
Communicates contingency plan changes to stakeholders identified in the contingency plan; and
Click here to enter text.
Protects the contingency plan from unauthorized disclosure and modification
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.7.3 CP-3 – Contingency TrainingRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within 60 days of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. Annually or as defined in the contingency plan thereafter.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.7.4 CP-4 – Contingency Plan Testing and ExercisesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
71
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Tests the contingency plan for the information system annually using full scale contingency plan testing or functional/tabletop exercises to determine the effectiveness of the plan and the organizational readiness to execute the plan.
Click here to enter text.
Documents and reviews the contingency plan test/exercise results,
Initiates the corrective actions, if needed.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.7.5 CP-7 – Alternate Processing Site (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
NOTE: CP-7 and CP-7(5) are normally only applicable for IS with an Availability Impact level of Moderate or High. The organization shall, as required:
Establish an alternate processing site including necessary agreements to permit the resumption of information system operations for essential mission/business functions. The organization will define the time period consistent with recovery time and recovery point objectives for essential mission/business functions to permit the transfer and redemption of organization-defined information system operations at an alternate processing site when the primary processing capabilities are unavailable.
Tailored out, low availability impact
Ensure that equipment and supplies required to resume operations are available at the alternate processing site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption
Tailored out, low availability impact
Ensure that the alternate processing site provides information security safeguards
Tailored out, low availability impact
72
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
equivalent to that of the primary site
Develop alternate processing site agreements (e.g., MOA/MOU) that contain priority-of-service provisions in accordance with the organization’s availability requirements
Tailored out, low availability impact
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.7.5.1 CP-7 (5) – Alternate Processing Site: Equivalent Information Security Safeguards WITHDRAWN Incorporated Into CP-7
10.7.6 CP-9 – Information System Backup Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The ISO shall develop backup plans for all information systems. Backup plans must be coordinated with the ISSM/ISSO and included in the ISCP. Backup plans should consider data-production rates and data-loss risks. The areas of risk that should be identified and planned for include, but are not limited to:
• Loss of power.• Loss of network connectivity.• Loss or corruption of data.• Facility disruptions, such as loss of air conditioning, fire, flooding, etc.
Backup procedures should reflect the risk from media loss. If a hard disk were damaged, lost or contaminated in some way, the disk backups, coupled with periodic incremental backups between full backups, would allow for the restoration of the data. “Active backups” should be maintained for disks that contain often-used applications.Backup information must be protected to ensure its confidentiality and integrity. Digital signatures and cryptographic hashes can be employed to protect the integrity of information system backups. Reference SC-13, Cryptographic Protection. An organizational assessment of risk guides the use of encryption for protecting backup information. Reference SC-28, Protection of Data at Rest.The organization:
Conducts backups of user-level information contained in the information system weekly
Click here to enter text.
Conducts backups of system-level information in the information system weekly
Click here to enter text.
Conduct backups of information system documentation including security-related documentation when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan.
Click here to enter text.
73
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Protects the confidentiality, integrity, and availability of backup information at storage locations
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.7.7 CP-10 – Information System Recovery and ReconstitutionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures.Organizations shall ensure all backup and restoration hardware, firmware and software are adequately protected.The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
74
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.8 IDENTIFICATION AND AUTHENTICATION (IA)10.8.1 IA – 1 – Identification and Authentication Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
a. Develops, documents, and disseminates to all personnel:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy at least annually; and
2. Identification and authentication procedures at least annually.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.2 IA-2 – Identification and Authentication (Organizational Users) (+ Classified)
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
Identification is an act or process that presents an identifier to a system so the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others. Authentication is the act or process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an IS. Authentication of user
75
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof.Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). In addition to identifying and authenticating users at the information system level (i.e., at logon), identification and authentication mechanisms may be employed at the application level, when deemed necessary, to provide increased information security.Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). In addition to identifying and authenticating users at the information system level (i.e., at logon), identification and authentication mechanisms may be employed at the application level, when deemed necessary, to provide increased information security. In general, group accounts are prohibited. Users must be uniquely identified and authenticated, unless an exception has been documented in the SSP and approved by the AO, such as in the case of group accounts.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.2.1 IA-2(1) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (- Standalone Overlay)
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems shall implement multi-factor authentication for all network access to privileged accounts.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.2.2 IA-2(2) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems shall implement multi-factor authentication for all network access to non-privileged accounts.
Click here to enter text.
76
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.2.3 IA-2(3) – Identification and Authentication: Local Access to Privileged Accounts (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems shall implement multi-factor authentication for all local access to privileged accounts.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.2.4 IA-2(4) – Identification and Authentication: Local Access to Non-Privileged Accounts (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems shall implement multi-factor authentication for all local access to non-privileged accounts.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.2.5 IA-2(5) – Identification and Authentication: Group Authentication (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with a single user.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is
77
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
employed. Group authentication is discouraged for systems and must be approved by the AO. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.2.6 IA-2(8) – Identification and Authentication: Network Access to Privileged Accounts – Replay Resistant (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems shall implement multi-factor authentication and use replay-resistant authentication mechanisms for all network access to privileged accounts. An authentication process is resistant to replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols that use random or non-repeating values (nonces) or challenges and time synchronous or challenge-response one-time authenticators.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.2.7 IA-2(9) – Identification and Authentication (Organizational Users): Network Access to Non-Privileged Accounts – Replay Resistant (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
78
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.8.2.8 IA-2(11) – Identification and Authentication (Organizational Users): Remote Access-Separate Device (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets organization-defined strength of mechanism requirements.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.2.9 IA-2(12) – Identification and Authentication (Organizational Users): Acceptance of PIV Credentials (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system accepts and electronically verifies Personal Identity Verification (e.g., CAC) credentials.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.3 IA-3 – Device Identification and Authentication (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems shall uniquely identify and authenticate all types of devices before establishing a network connection. This includes, but is not limited to, servers, workstations, printers, routers, firewalls, VoIP telephones, video and VoIP (VVOIP), desktop video teleconference (VTC) devices, etc. This control supports insider threat mitigation.Device identification and authentication provides for unique identification and authentication of devices on a LAN and/or WAN by using, for example, Media Access Control (MAC) or Transmission Control Protocol/Internet Protocol (TCP/IP)
79
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
addresses or an organizational authentication solution such as Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol (EAP), Remote Authentication Dial In User Service (RADIUS) server with EAP-Transport Layer Security (TLS) authentication, or Kerberos.This control can be tailored out for standalone IS. Implementing this control ensures that un-authenticated devices, e.g., mobile devices and personal laptop computers, are not able to make a connection to an information system containing PII.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.3.1 IA-3(1) – Device Identification and Authentication: Cryptographic Bi-Directional Authentication (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system authenticates all types of devices before establishing a connection using bidirectional authentication that is cryptographically based. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections).
A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections). This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.3.2 IA-4 – Identifier Management
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Individual user identifiers (USERIDs) are used for identification of users on information systems, which shall be standardized (e.g., last name first initial, first.lastname) for each system. IA-2 addresses the use of unique identifiers.The organization manages information system identifiers by:
80
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Receiving authorization from appropriate personnel to assign an individual, group, role, or device identifier
Click here to enter text.
Selecting an identifier that identifies an individual, group, role, or device
Click here to enter text.
Assigning the identifier to the intended individual, group, role, or device
Click here to enter text.
Preventing reuse of identifiers Click here to enter text.
Disabling the identifier after a period not to exceed 90 days of inactivity [30 days for Army] for individuals, groups, or roles; not appropriate to define for device identifiers; e.g., media access control (MAC), IP addresses, or device unique token identifiers.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.3.3 IA-4(4) – Identifier Management: Identify User Status (- Standalone Overlay)
Recommended Continuous Monitoring Frequency: Semi-Annual
Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization manages individual identifiers by uniquely identifying each individual as a contractor, government (civilian, military), and/or foreign nationality as appropriate. Examples: john.smith.ctr, john.smith.civ, john.smith.ukCharacteristics identifying the status of individuals include, for example, contractors and foreign nationals. Identifying the status of individuals by specific characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.4 IA-5 – Authenticator ManagementRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Passwords must meet standards for strong passwords. Examples of situations that may require tailoring include, but are not limited to:
81
After a relevance determination, this control can be tailored out for standalone IS.
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
• The password mechanism does not support strong password requirements.• The password is one factor of an authorized, multifactor authentication means.• The password is used by a system process (as opposed to an interactive user session).
Shared (Group) Password [IA-5.a & .j] An account password shared among a group of users (i.e., group account) shall be specifically documented in the SSP and authorized for use by the AO or designee. If specifically authorized, shared account passwords must not knowingly be the same for any other account and shall be changed if a user leaves the group.The organization manages IS authenticators by:
Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator
Click here to enter text.
Establishing initial authenticator content for authenticators defined by the organization
Click here to enter text.
Ensuring that authenticators have sufficient strength of mechanism for their intended use
Click here to enter text.
Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators
Click here to enter text.
Changing default content of authenticators prior to information system installation
Click here to enter text.
Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators
Click here to enter text.
Changing/refreshing authenticators within a time period not to exceed 90 days for passwords; system defined time period for other authenticator types
Click here to enter text.
Protecting authenticator content from unauthorized disclosure and modification
Click here to enter text.
Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators
Click here to enter text.
Changing authenticators for group/role accounts when membership to those accounts changes
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.4.1 IA-5(1) – Authenticator Management: Password-Based AuthenticationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS for password-based authentication:Enforces minimum password complexity for IS of at least 14 characters in length for non-privileged accounts and 15
82
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
characters in length for privileged accounts; contains a string of characters that does not include the user’s account name or full name; includes one or more characters from at least 3 of the following 4 classes: Uppercase, lowercase, numerical & special characters;Enforces at least a minimum of four changed characters;Stores and transmits only cryptographically-protected passwords;Enforces password minimum and maximum lifetime restrictions of at least 1 day lifetime minimum and 90 day lifetime maximum;Prohibits password reuse for a minimum of 24 password generations;Allows the use of a temporary password for system logons with an immediate change to a permanent password.
These password requirements are for English display language. Other display languages should use equivalent password strength requirements. Passwords shall not be stored on an information system in clear text. An authorized, non-reversible, encryption algorithm (e.g., hash algorithm) shall be used to transform a password into a format that may be stored in a password file for use during subsequent password-validation. Passwords and password files, when transmitted using electronic means, shall be encrypted using an authorized algorithm.An approved product vendor’s current password hashing algorithm is an authorized algorithm when used on a protected network. When possible, systems shall be configured to automatically notify the user of the requirement to change their password at least fourteen (l4) days before its expiration. The minimum age restriction does not apply to the initial change of a password, help desk password reset, or when compromise of a password is known or suspected.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.4.2 IA-5(2) – Authenticator Management: PKI-Based Authentication (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information systems that use PKI-based authentication shall (a) validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; (b) enforce authorized access to the corresponding private key; (c) Map the authenticated identity to account of the individual or group; and (d) Implement a local cache of revocation data to support path discovery and validation in cases of inability to access revocation information via the network.Organizations shall ensure that remote sessions for accessing information systems employ PKI certificates issued by a government-approved registration authority and are audited. If PKI is not feasible, security measures above and beyond standard bulk or session layer encryption shall be implemented (e.g., Secure Shell or VPN with blocking mode enabled) [AC-17(7)].
Control not required for NISP system.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
83
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.8.4.3 IA-5(4) – Authenticator Management: Automated Support for Password Strength Determination
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy requirements as defined in IA-5 (1).Passwords should be sufficiently strong to resist “password cracking” and other types of attacks intended to discover users’ passwords. Information resources should use automated password filters to verify that passwords are created consistent with this document. Automated tools should be accessible to assist users with checking password strengths and generating passwords. A password cracking method shall be used only with written AO authorization providing explicit direction for use during vulnerability testing. Only authorized personnel will have access to and use password cracking tools. Reference IA-5(1) (a) and (b) for password requirements.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.4.4 IA-5(7) – Authenticator Management: No Embedded Unencrypted Static Authenticators
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.4.5 IA-5(8) – Authenticator Management: Multiple Information System AccountsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization implements precautions including advising users that they must not use the same password for any of the
84
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
following: Different systems with domains of differing classification levels; Access to different systems within one classification level (e.g., internal agency network and Intelink).; Different accounts with different privilege levels (e.g., user, administrator) to manage the risk of compromise due to individuals having accounts on multiple information systems.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.4.6 IA-5(11) – Authenticator Management: Hardware Token-Based Authentication – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system, for hardware token-based authentication, employs mechanisms that satisfy DoD CAC requirements.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.4.7 IA-5(13) – Authenticator Management: Expiration of Cached Authenticators (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system prohibits the use of cached authenticators after one (1) hour.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.4.8 IA-5(14) – Authenticator Management: Managing Content of PKI Trust Stores (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring:
85
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.5 IA-6 – Authenticator FeedbackRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.Information systems shall not display any password on a terminal, monitor, or printer when a user enters a password to gain access. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.6 IA-7 – Cryptographic Module Authentication
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. FIPS 140-2 validated cryptographic modules are often used to protect unclassified sensitive information in computer and telecommunication systems (including voice systems). Classified information systems use NSA-validated cryptographic modules.
Click here to enter text.
86
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.7 IA-8 – Identification and Authentication (Non-Organizational Users) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with single users. Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.7.1 IA-8(1) – Identification and Authentication (Non-Organizational Users): Acceptance of PIV Credentials from Other Agencies (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system accepts and electronically verifies Personal Identity Verification (PIV) (e.g., CAC) credentials from other DoD and/or federal agencies.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.7.2 IA-8(2) – Identification and Authentication (Non-Organizational Users): Acceptance of Third-Party Credentials (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system accepts only FICAM-approved third-party credentials.
87
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.7.3 IA-8(3) – Identification and Authentication (Non-Organizational Users): Use of FICAM Approved Products (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs only FICAM-approved information system components in Program IS to accept third-party credentials. NOTE: In lieu of FICAM-approved products, DoD shall use DoD-approved products.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.8.7.4 IA-8(4) - Identification and Authentication (Non-Organizational Users): Use of FICAM Issued Profiles (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS conforms to FICAM-issued profiles. NOTE: In lieu of FICAM-approved profiles, DoD shall use DoD-approved implementations.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
88
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.9 INCIDENT RESPONSE (IR)10.9.1 IR-1 – Incident Response Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.IA-8(4)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy at least annually; and
2. Incident response procedures at least annually.
Click here to enter text.
Click here to enter text.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.2 IR-2 – Incident Response Training
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Incident recognition and reporting training shall be included as part of both general and privileged user awareness training. See also Security Training [AT-3]. General users must be trained on what constitutes suspicious activity as it applies to the system, other users, and unauthorized individuals internal and external to the organization. General users must also know to whom and when to report suspicious activity and to keep discussions about potential incidents within the incident response chain of command.Privileged users should be trained in preserving the scene, preserving the data (volatile and nonvolatile), chain of custody, and reporting requirements. Privileged users frequently move from the containment phase to eradication compromising
89
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
data necessary in prosecuting a potentially criminal case. Privileged users must also know who to contact for assistance in responding to an incident, e.g., the organizations IA point of contact. Additional incident response related training may be required depending on the system, environment, and mission criticality.The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
Within 30 working days of assuming an incident response role or responsibility
Click here to enter text.
When required by information system changes Click here to enter text.
At least annually thereafter. Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.3 IR-3 – Incident Response Testing
10.9.3.1 IR-
3(2) – Incident Response Testing and Exercises: Coordination with Related Plans – NEW BASELINE
10.9.4 IR3-(2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS
10.9.5 IR-4 –
Incident Handling
90
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization tests the incident response capability for the information system at least annually using appropriate tests to determine the incident response effectiveness and documents the results.Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization coordinates incident response testing with organizational elements responsible for related plans.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Please enter facility specific Incident Response Info.The organization:
Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery
Click here to enter text.
Coordinates incident handling activities with contingency planning activities
Click here to enter text.
Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.5.1 IR-4(1) – Incident Handling: Automated Incident Handling ProcessesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs automated mechanisms to support the incident handling process. While it is not cost effective for most organizations to maintain an online incident management system, such as Remedy, there are functions that can be automated to support the incident handling process. For instance mechanisms in support of identification or detection and analysis include:
System audit logs that capture unsuccessful attempts to log into the system, attempts to gain access to unauthorized folders/files, attempts to introduce unauthorized software or media.
Device audit logs. IDS, content filtering applications, etc.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.5.2 IR-4(3) – Incident Handling: Continuity of OperationsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
91
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization identifies classes/categories as defined in CNSS_____ to define actions required in the event of an incident to ensure continuation of organizational missions and business functions.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.5.3 IR-4(4) – Incident Handling: Information CorrelationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.5.4 IR-4(6) – Incident Handling: Insider Threats – Specific Capabilities – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization implements incident handling capability for insider threats.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.5.5 IR-4(7) – Incident Handling: Insider Threats – Intra-Organization Coordination – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring:
92
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization coordinates incident handling capability for insider threats across the Oversight Team.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.5.6 IR-4(8) – Incident Handling: Correlation with External Organization – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization coordinates with organizations whose data has been involved in an incident to correlate and share incident-related information to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.6 IR-5 – Incident Monitoring
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization tracks and documents information system security incidents.Collecting user statements of those involved in incidents with information systems is also required in order to completely document the details of an incident. While it is not cost effective for most organizations to maintain an online incident management system, there are functions that can be automated to support the incident handling process. For instance mechanisms in support of identification or detection and analysis include:
System audit logs that capture unsuccessful attempts to log into the system, attempts to gain access to unauthorized folders/files, attempts to introduce unauthorized software or media.
Device audit logs. IDS, content filtering applications, etc.
Click here to enter text.
93
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.7 IR-6 – Incident Reporting
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
In the case of a suspected incident, containment procedures must begin immediately. However, GCA/Confirmation of the classification of the information spilled is required promptly so decisions concerning scale of containment and eradication efforts can be scoped, e.g., data spilled onto another system tends to be (although not always) less critical than data spilled to an unclassified system.The ISSM/ISSO is responsible for reporting incidents to security as well as to the AO,. The ISSM/ISSO must also report the incident to the system DAO who in turn reports it to the AO. [IR-6.b] If an activity from another organization is involved, the Director of Security will provide proper notification to the organization.Initial/interim reporting should begin as soon as possible after knowledge of the incident and should continue until the incident is resolved.Organizations will continue to report until the incident is closed.
Requires personnel to report suspected security incidents to the organizational incident response capability within 24 hours .
Click here to enter text.
Reports security incident information to the appropriate agency IAW AR 380-381
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.7.1 IR-6(1) – Incident Reporting: Automated ReportingRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs automated mechanisms to assist in the reporting of security incidents.Differing types of automated mechanisms can meet the intent of IR-6(1) This mechanism may be a web-based form that is populated by the ISSM/ISSO alerting the appropriate individuals, or an email process that includes a preset distribution group to ensure all key individuals are alerted in the event of an incident, e.g., ISSM/ISSO, and other designaed personnel. Where a email distribution is used, the responder should be cautious unclassified information in the incident description in the initial report. The classified report shall be protected in accordance with the NISPOM requirements.
Click here to enter text.
94
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.7.2 IR-6(2) – Incident Reporting: Vulnerabilities Related to IncidentsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
ISSM shall report all information system-related incidents to designated personnel providing the response determination, guidance to the site as needed. This provides an organization-wide awareness of incidents, a broader capability for identifying trends and vulnerabilities, and the potential to share information with other organizations in the community. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.8 IR-7 – Incident Response Assistance
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the IS for the handling and reporting of security incidents.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.8.1 IR-7(1) – Incident Response Assistance: Automation Support for Availability of Information
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
95
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Common System Specific Hybrid (Common and System Specific)
The organization employs automated mechanisms for increase the availability of incident response-related information and support. Automated mechanisms for incident response related information and support may be employed through a website, database, or other automated means.
This control is met using email.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.8.2 IR-7(2) – Incident Response Assistance: Coordination with External ProvidersRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The external providers for incident response for IS incidents are the. ISSM/ISSOs will provide local incident response team POCs to their POC. The names and contact information may be provided in the SSP. This control supports insider threat mitigation.
This control can be met using email.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.9 IR-8 – Incident Response Plan
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Each organization shall develop an incident response plan specific to the system, site, and/or installation as appropriate, which:
Provides a roadmap for implementing its incident response capability. Describes the structure and organization of the incident response capability. Provides a high-level approach for how the incident response capability fits into the overall Enterprise. Meets unique requirements related to mission, size, structure, and functions. Defines reportable incidents. Provides metrics for measuring the incident response capability. Defines the resources and management support needed to effectively maintain and mature the incident response
capability. Is reviewed and approved by the AO. Identifies how the organization will test (i.e. table-top, hot wash, etc.)
96
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Copies of the incident response plan shall be distributed to all personnel with a role or responsibility for implementing the plan. The incident response plan shall be reviewed at least annually (incorporating lessons learned from past incidents) and revised to address system/organizational changes or problems encountered during plan implementation, execution, or testing. Incident response plan changes shall be communicated to all personnel with a role or responsibility for implementing the plan not later than 30 days after the change is made. The incident response plan shall be protected from unauthorized disclosure and modification.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.10 IR-9 – Information Spillage Response (+ Classified Overlay) – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization responds to information spills by:
Identifying specific information involved in the information system contamination
Click here to enter text.
Alerting designed personnel of the information spill using a method of communication not associated with the spill
Click here to enter text.
Isolating the contamination information system or system component
Click here to enter text.
Eradicating the information from the contaminated information system or component
Click here to enter text.
Identifying other IS or system components that may have been subsequently contaminated
Click here to enter text.
Performing actions as required by AR 380-381 Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.10.1 IR-9(1) – Information Spillage Response: Responsible Personnel (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
97
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
The organization assigns personnel and associated roles with responsibility for responding to information spills.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.10.2 IR-9(2) – Information Spillage Response: Training (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization provides information spillage response training annually.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.10.3 IR-9(4) – Information Spillage Response: Exposure to Unauthorized Personnel (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs security safeguards for personnel exposed to information not within assigned access authorizations, such as making personnel aware of federal laws, directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.9.11 IR-10 – Integrated Information Security Cell (+ Privacy Overlay) – NEW BASELINE
This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information. The control description must include the means by which the organization addresses the privacy-related implementation of this control.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring:
98
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization establishes an integrated team of forensic/malicious code analysts, tool developers and real time operations personnel.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
99
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.10 MAINTENANCE (MA)10.10.1 MA-1 – System Maintenance Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
10.10.2 MA-2 – Controlled Maintenance Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
IS are particularly vulnerable to security threats during maintenance activities. The level of risk is directly associated with the maintenance person’s clearance and access status. A maintenance person may be uncleared or may not be cleared to the level of classified information contained on the IS. Properly cleared personnel working in the area must maintain a high level of security awareness at all times during IS maintenance activities. Reference MA-5(1) for escort requirements.All maintenance activities should be performed on-site whenever possible. Removal of an IS or system components from a facility for maintenance or repairs requires approval coordination with the individual responsible for changes to the system, e.g., ISSM/ISSO and the individual who approves removal of equipment from the facility.Any maintenance changes that impact the security of the system shall receive a configuration management review and documentation update, as appropriate [MA-2.e]. See also [CM-3].Organizations shall record all information system repairs and maintenance activity in a maintenance log for the life of the IS and retain the log for a minimum of one (1) year after equipment decommissioning or disposal.The organization:
Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements
Click here to enter text.
Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location
Click here to enter text.
Requires that the ISSM/ISSO or designee explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs
Click here to enter text.
Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs
Click here to enter text.
Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions
Click here to enter text.
Includes date and time of maintenance, name of individual performing the maintenance, name of escort (if appropriate), a description of the maintenance performed, and a list of equipment removed or replaced to include ID numbers (if applicable) in organization maintenance records or maintenance log
Click here to enter text.
100
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.3 MA-3 – Maintenance ToolsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization approves, controls, and monitors information system maintenance tools. Devices with transmit capability (e.g., IR, RF) shall remain outside the facility unless explicitly approved by the AO.Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.3.1 MA-3(1) – Maintenance Tools: Inspect Tools
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization inspects maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.3.2 MA-3(2) – Maintenance Tools: Inspect MediaRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization checks media containing diagnostic and test programs for malicious code before the media are used in an IS. If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.
Click here to enter text.
101
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.3.3 MA-3(3) – Maintenance Tools: Prevent Unauthorized Removal (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Media without write protection that is brought in for maintenance must remain within the facility and must be stored and controlled at the classification level of the highest IS to which the media was introduced. Prior to entering the facility, maintenance personnel must be advised that they will not be allowed to remove media from the facility. If deviation from this procedure is required under special circumstances, it must be documented locally for review and approval by the ISSM/ISSO.Each time the diagnostic test media is introduced into the facility it must undergo stringent integrity checks (e.g., virus scanning, checksum) prior to being used on the IS, and before leaving the facility, the media must be checked to assure that no classified information has been written on it. See also MP-5.Organizations are responsible for preventing the unauthorized removal of maintenance equipment from the facility. This can be accomplished by any of the following:
Verifying there is no organizational information contained on the equipment. Sanitizing or destroying the equipment. Retaining the equipment within the facility. Obtaining approval from the ISSM/ISSO explicitly authorizing removal of the equipment from the facility.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.4 MA-4 – Non-Local Maintenance (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network outside of the system’s accreditation boundary. Non-local includes devices shipped out for repair or online ‘remote’ maintenance.The organization:
Approves and monitors nonlocal maintenance and diagnostic activities
Click here to enter text.
102
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system
Click here to enter text.
Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions
Click here to enter text.
Maintains records for nonlocal maintenance and diagnostic activities
Click here to enter text.
Terminates session and network connections when nonlocal maintenance is completed
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.4.1 MA-4(1) – Non-Local Maintenance: Auditing and Review Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization audits nonlocal maintenance and diagnostic sessions and reviews the records of maintenance and diagnostic sessions at least quarterly.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.4.2 MA-4(3) – Non-Local Maintenance: Comparable Security/Sanitization (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
If non-local maintenance is required from a service or organization that does not provide the same level of security required for the IS being maintained, the system must be sanitized (see the Media Protection (MP) section) and placed in a standalone configuration prior to establishment of the remote connection. If the system cannot be sanitized (e.g., due to a system crash), non-local maintenance is not permitted.The organization:
Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
Removes the component to be serviced from the information system and prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from
103
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.4.3 MA-4(6) – Non-Local Maintenance: Cryptographic Protection (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS. Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications. Strong identification and authentication techniques (i.e., two-factor authentication) shall be employed in the establishment of non-local maintenance and diagnostic sessions.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.4.4 MA-4(7) – Non-Local Maintenance: Remote Disconnect Verification (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS. Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system implements remote disconnect verification at the termination of non-local maintenance and diagnostic sessions.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.5 MA-5 – Maintenance Personnel .Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
104
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
If appropriately cleared personnel are unavailable to perform maintenance, an uncleared or lower-cleared person may be employed provided a fully cleared, trained, and technically qualified escort monitors and records their activities in a maintenance log.The organization:
Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel
Click here to enter text.
Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations
Click here to enter text.
Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.5.1 MA-5(1) – Maintenance Personnel: Individuals without Appropriate Access (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization: Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not
U.S. citizens, that include the following requirements: Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are
escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
105
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.10.5.2 MA-5(2) – Maintenance Personnel: Security Clearances for Classified Systems
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Appropriately cleared personnel who perform maintenance or diagnostics on IS do not necessarily require an escort. Organizations are responsible for ensuring maintenance personnel are familiar with organizational security procedures to assure the proper security procedures are being followed.The organization ensures that personnel performing maintenance and diagnostic activities on an IS processing, storing, or transmitting classifying information possess security clearances and formal access approvals for at least the highest classification level and compartments on the IS.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.5.3 MA-5(3) – Maintenance Personnel: Citizenship Requirements for Classified Systems
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that personnel performing maintenance and diagnostic activities on an IS processing, storing, or transmitting classified information are U.S. citizens.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.10.5.4 MA-5(4) – Maintenance Personnel:
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that only cleared personnel are used to conduct maintenance and diagnostic activities on an IS
106
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
processing, storing, or transmitting classified information when the IS are jointly owned and that approvals are documents within MOAs.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
107
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.11 MEDIA PROTECTION (MP)10.11.1 MP-1 – Media Protection Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
10.11.2 MP-2 – Media Access (+ Classified)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization restricts access to all types of removable digital and non-digital media including, but not limited to, hard disks, floppy disks, zip drives, CDs, DVDs, thumb drives, pen drives, flash drives, and similar universal serial bus (USB) storage devices in accordance with the Insider Threat Mitigation Guidance. A Two-Person Integrity (TPI) Media Custodian will be designated in writing and will be responsible for implementing locally defined security measures, i.e. media sign-out logs, media accountability logs, etc.Where appropriate, all portable media with a moderate or high confidentiality rating shall be encrypted using either NSA approved.All digital media, and the use of such media, must be authorized by the designee, prior to being introduced. Organizations are required to ensure the local facility SOP defines personnel/roles and security measures used to control access to media (i.e. centralized safe, media sign-out logs, media accountability logs, entry/exit procedures, etc.). Maintain a list of authorized users and their respective authorized use privileges. Personally-owned thumb drives, CDs, and DVDs are prohibited from entering accredited facilities without approval.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.2.1 MP-2(2) – Media Access: Cryptographic Protection WITHDRAWN Incorporated Into SC-28
10.11.3 MP-3 – Media Marking (+ Classified)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
All information storage media must be appropriately marked and protected to prevent the loss of information through poor security procedures. Likewise, to prevent security compromises, all output products (to include printed material) must be appropriately marked and protected. Each user is ultimately responsible for the marking, handling, and storage of media and paper products within their assigned area of responsibility. In addition, security markings will be displayed on all servers, server cabinets, desktops/laptops, removable/external hard drives, monitors and printers. Thin clients must also be marked. In the case of multi-level devices the security marking shall reflect the highest classification level authorized to be processed.All IS storage media shall have external security markings clearly indicating the classification of the information. All
108
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
information storage media will be marked. [MP-3(a)] See the NISPOM for additional media marking information.The organization:
Marks IS media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information
Click here to enter text.
Exempts new, unused, factory-sealed media from marking as long as the media remains within the locked media cabinet or storage area
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.4 MP-4 – Media Storage (+ Classified).Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
All organizations must comply with the Insider Threat Mitigation guidance.Commercial software maintained within the facility by IT personnel and used to update systems or maintain proof of license or purchase may be handled separately from the facility tracking log or system. This media must be locked away in a separate container or cabinet and treated as unclassified provided the write protection or verification of closed session was verified by IT personnel once it was used in a classified computer system. Commercial media still in shrink-wrap may remain this way and be secured in the same cabinet as other commercial media.All media shall be accounted for under the direct management of the Top Secret Control Officer (TSCO).Each organization will audit information storage media accountability records for accuracy at least annually or as specified by the AO. The results of these audits shall be documented in an internal report to remain on file within the organization for at least one (1) year or one review cycle whichever is longer. Organizations must be able to demonstrate positive control and accounting of information storage media when reviewed by inspection authorities. Discrepancies shall be reported to the ISSM/ISSO for further reporting to the AO or designee, as required.The organization:
Physically controls and securely stores all digital media regardless of classification and/or non-digital media containing classified information within an area and/or contained approved for processing and storing media based on the classification of the information contained within the media
Click here to enter text.
Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.5 MP-5 – Media Transport (+ Classified)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
109
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Approved procedures shall be implemented to address mobile devices traveling to and returning from a location that the organization deems to be of significant risk. Information should be transported electronically whenever possible. When electronic transport is not possible, movement of all media shall be coordinated through the appropriate security personnel (ISSM/ISSO.) following approved procedures. [MP- 5(a)]Activities associated with the transport of media shall be documented by the organization. Appropriate entries in the organization’s media accounting system shall be made. [MP-5(b)]The organization:
Protects and controls all types of digital and non-digital media during transport outside of controlled areas using AO approved security measures, to include courier and digital media encryption
Click here to enter text.
Maintains accountability for information system media during transport outside of controlled areas
Click here to enter text.
Documents activities associated with the transport of information system media
Click here to enter text.
Restricts the activities associated with the transport of information system media to authorized personnel. Transport of media shall be restricted to an authorized custodian by means of a courier card\letter
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.5.1 MP-5(3) – Media Transport: Custodians (+ Classified Overlay) – NEW Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs an identified custodian during transport of information system media outside of controlled areas. Transport of media shall be restricted to an authorized custodian by means of a courier card/letter.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.5.2 MP-5(4) – Media Transport: Cryptographic Protection (+ Classified) .Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring:
110
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Cryptographic mechanisms during transport outside of controlled areas shall be either NSA approved or FIPS 140-2 compliant.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.6 MP-6 – Media Sanitization (+ Classified)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
See the DAA PM, MP-6, for additional sanitization requirements for specific types of media.The organization:
Sanitizes all digital and non-digital media prior to disposal, release out of organizational control or release for reuse IAW NSA/CSS PM 9-12 in accordance with applicable federal and organizational standards and policies
Click here to enter text.
Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.6.1 MP-6(1) – Media Sanitization: Review/Approve/Track/Document/Verify (+ Classified)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization reviews, approves, tracks, documents and verifies media sanitization and disposal actions.
111
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.6.2 MP-6(2) – Media Sanitization: Equipment Testing (+ Classified Overlay)Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization tests sanitization equipment and procedures at least annually to verify that the intended sanitization is being achieved.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.6.3 MP-6(3) – Media Sanitization: Non-Destructive Techniques (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the IS. The use of nondestructive sanitization techniques (e.g., not destroying the hard drive) are for initial sanitization of media prior to first use and not when the contents of the digital media require retention.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
112
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.11.6.4 MP-6(4) – Media Sanitization: Controlled Unclassified Information WITHDRAWN Incorporated Into MP-6
10.11.6.5 MP-6(5) – Media Sanitization: Classified Information WITHDRAWN Incorporated Into MP-6
10.11.6.6 MP-6(6) – Media Sanitization: Media Destruction WITHDRAWN Incorporated Into MP-6
10.11.7 MP-7 – Media Use (+ Classified Overlay) – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Using technical safeguards, the organization prohibits the use of certain types of media on IS; e.g., restricting the use of flash drives or external hard disk drives without the express authorization of the AO.Media Reuse. Certain types of electronic media that have been previously classified under one program may be reused by another program of the same classification level or higher (e.g., S//ABC hard disk is transferred to S//XYZ, or S//ABC hard disk is transferred to TS//LMNO). The individual types of media required for reuse must have specific procedures documented and approved by the system AO. Best practices for wiping magnetic media or SSD for reuse include: 1. One time overwrite utilizing a known pattern and an AO approved product, and then verifying that the overwrite was successful utilizing a hex editor tool from the first to last sector; or 2. Encrypt the whole media with an AO approved whole disk encryption (WDE) tool and then destroy the key. For any media type the spirit of the procedures must ensure any labels or evidence of the previous program has been removed prior to handoff to the gaining ISSM or Security Officer.Least Privilege [AC-6] and Separation of Duties [AC-5] are related controls and should be enforced to the maximum extent possible to prevent unauthorized removal of information from the system.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.7.1 MP-7(1) – Media Use: Prohibit Use without Owner – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
113
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.11.8 MP-8 – Media Downgrading (+ Classified Overlay) – NEWRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
Establishes a media downgrading process that includes employing downgrading mechanisms based on the classification of the media
Click here to enter text.
Ensures that the IS media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information
Click here to enter text.
Identifies the IS media requiring downgrading Click here to enter text.
Downgrades the identified IS media using the established process
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.8.1 MP-8(1) – Media Downgrading: Documentation of Process (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.8.2 MP-8(2) – Media Downgrading: Equipment Testing (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
114
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Common System Specific Hybrid (Common and System Specific)
The organization employs appropriate tests of downgrading equipment and procedures to verify correct performance at least annually.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.11.8.3 MP-8(4) – Media Downgrading: Classified Information (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization downgrades IS media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies. This control may only need to be addressed if a system downgrade or tech transfer is required, e.g., based on an authorized administrative information downgrade (classification/program levels) by an Original Classification Authority (OCA).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
115
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.12 PHYSICAL AND ENVIRONMENT PROTECTION (PE)10.12.1 PE-1 – Physical and Environmental Protection Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
10.12.2 PE-2 – Physical Access Authorizations Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. This control only applies to areas within facilities that have not been designated as publicly accessible. Ensure Support Systems are controlled within and managed by cleared individuals. Support Systems include card/badge creation systems, card reader systems, alarm systems, and music sound cover systems. These systems may be addressed in the Fixed Facility Checklist (FFC) or Facility SOP.The organization:
Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides
Click here to enter text.
Issues authorization credentials for facility access Click here to enter text.
Reviews the access list detailing authorized facility access by individuals [annually or as policy and procedures dictate changes are required
Click here to enter text.
Removes individuals from the facility access list when access is no longer required
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.2.1 PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization restricts unescorted access to the facility where the information system resides to personnel with security clearances and/or formal access approval as defined by the local security policy (i.e., Facility SOP).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
116
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.12.3 PE-3 – Physical Access Control
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
Enforces physical access authorizations by: Verifying individual access authorizations before granting access to the facility; and Controlling ingress/egress to the facility;
Click here to enter text.
Maintains physical access audit logs Click here to enter text.
Provides security safeguards to control access to areas within the facility officially designated as publicly accessible. Physical casings include for example, locking computer racks to protect mission critical servers, network routers, etc. As an alternative, these devices may be secured in a room (e.g., a server room) with access limited to privileged users.
Click here to enter text.
Escorts visitors and monitors visitor activity Click here to enter text.
Secures keys, combinations, and other physical access devices
Click here to enter text.
Inventories physical access devices within as required Click here to enter text.
Changes combinations and keys when first installed or used; if believed to have been subjected to compromise; and when considered necessary by the cognizant security authority (CSA) and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.3.1 PE-3(1) – Physical Access Control: Information System Access – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility for those areas where there is a concentration of IS components (e.g., server rooms, media storage areas, etc.)
117
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.3.2 PE-3(2) – Physical Access Control: Facility/Information System Boundaries (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization performs random security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.3.3 PE-3(3) – Physical Access Control: Continuous Guards/Alarms/Monitoring (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.4 PE-4 – Access Control for Transmission Medium (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
118
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Common System Specific Hybrid (Common and System Specific)
The organization controls physical access to information system distribution and transmission lines within organizational facilities. Security safeguards include locked wiring closets, disconnected or locked spare jacks, and protection of cabling by conduit or cable trays.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.5 PE-5 – Access Control for Output Devices .Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Output devices, such as printers and fax machines of differing security classifications, should not be placed in close proximity to one another. Fax machines shall be kept in a separate area from printers, since they are both input and output devices. If Foreign Nationals are, output devices of US-only systems must be under constant observation by cleared US personnel.
See the DAA PM for additional information on the use of KVM Switches.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.5.1 PE-5(3) – Access Control for Output Devices: Marking Output Devices (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization marks all output devices in facilities containing information systems that store, process or transmit classified information indicating the appropriate security marking of the information permitted to be output from the device.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
119
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.12.6 PE-6 – Monitoring Physical AccessRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents
Click here to enter text.
Reviews physical access logs at least every 90 days or as required by the and upon occurrence of physical access incidents
Click here to enter text.
Coordinates results of reviews and investigations with the organizational incident response capability
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.6.1 PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization monitors physical intrusion alarms and surveillance equipment.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.7 PE-7 – Visitor Control includes PE-7(1) – Visitor Control: Visitor Escort and PE-7(2) – Visitor Control: Visitor Identification – WITHDRAWN Incorporated into PE-2 and PE-3
10.12.8 PE-8 – Access RecordsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
120
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
The organization:
Maintains visitor access records to the facility where the information system resides for the period required by NISPOM (at least 2 years).
Click here to enter text.
Reviews visitor access records at least every 90 days. Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.9 PE-12 – Emergency LightingRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs and maintains automatic emergency lighting for the IS that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.10 PE-13 – Fire ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs and maintains fire suppression and detection devices/systems for the IS that are supported by an independent energy source. As described in DoDM 5205.07-V3 fire detection systems shall not be tied into the facility’s IDS. The fire suppression and detection devices/systems, with the exception of tactical environments, shall activate automatically and notify the organization and emergency responders in the event of a fire. Automatic fire suppression capability is required when the facility is not staffed on a continuous basis. Additionally, organizations shall ensure the facility undergoes, in accordance with local regulations, fire marshal inspections and promptly resolves identified deficiencies.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.11 PE-14 – Temperature and Humidity ControlsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
121
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall maintain temperature and humidity levels within the facility where the information systems reside at acceptable levels, as defined by the organization, and shall continuously monitor these levels. In addition, organizations shall ensure that temperature and humidity controls with remote maintenance and testing (RMAT) capability are properly configured for use by disabling automatic or remote connection capability. When remote connection capability is required for central management of the HVAC system, it shall be identified on the FFC and approved by the CSA.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.12 PE-15 – Water Damage ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization protects the information system from damage resulting from water leakage by providing master shutoff r isolation valves that are accessible, working properly, and known to key personnel. This control applies primarily to facilities containing concentrations of IS resources; for example, server rooms, data centers, etc.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.13 PE-16 – Delivery and RemovalRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization authorizes, monitors, and controls all IS components entering and exiting the facility and maintains records of those items.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
122
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.12.14 PE-17 – Alternate Work Site
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs management, operational and technical information system security controls at the alternate work site equivalent to those applicable to the primary work site. These security controls shall be assessed as feasible to determine the effectiveness of these controls. The alternate work site shall provide a means for employees to communicate with information security personnel in case of security incidents or problems.
An alternate work site has not been established.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.15 PE-19 – Information Leakage (+ Classified Overlay)Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization protects the information system from information leakage due to electromagnetic signals emanations. Information systems, peripherals, associated data communications, and networks (planned or installed) that may be used to process national security or security-related information may need to meet certain national TEMPEST policies and procedures. The objective is to minimize the risk of Foreign Intelligence Services (FIS) exploiting unintentional emanations from intelligence systems. TEMPEST is a short name referring to investigations and studies of compromising emanations. Please refere to CNSSI 7003.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.12.15.1 PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that IS component, associate data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the
123
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
124
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.13 PLANNING (PL)10.13.1 PL-1 – Security Planning Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
10.13.2 PL-2 – System Security Plan
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
System Security Plans (SSPs) shall be classified in accordance with the Program Security Classification Guide (SCG) and in order to minimize OPSEC indicators.The organization:
Develops a security plan for the IS that: Conforms to the SSP template as provided by the
ISSM Is consistent with the enterprise architecture. Explicitly defines the authorization boundary for the
system. Describes the operational context of the information
system in terms of missions and business processes. Describes the CONOPS for the information system
including, at a minimum, the purpose of the system and a description of the system architecture.
Provides the impact levels for Confidentiality, Integrity and Availability of the information system including supporting rationale.
Describes the functional architecture for the information system that identifies:
External interfaces, the information being exchanged across the interfaces, and the protection mechanisms associated with each interface.
User roles and the access privileges assigned to each role.
Unique security requirements. Types of information processed, stored, or
transmitted by the information system and any specific protection needs in accordance with applicable federal laws, EOs, directives, policies, regulations, standards, and guidance (to include any unique requirements of the Information Owner/Steward).
Restoration priority of information or information system services.
Describes the operational environment for the information system.
Describes relationships with or connections to other information systems, include ISAs and ATCs, as applicable.
Click here to enter text.
125
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Identifies the security requirements for the information system, as captured in the SCTM. See Appendix C for guidance on SCTM creation.
Identifies controls tailored in or tailored out by the AO.
Identifies any exceptions, which denotes a control or part of a control that is not met and is an accepted risk by the AO. Exceptions should also be captured on the POA&M unless otherwise directed by the AO.
Identifies the type of control (common, system specific, or hybrid) and describes how the security controls are implemented or planned to be implemented including a rationale for any tailoring and supplementation decisions
Identifies the controls tailored out/in/modified as approved by the DAO
Identifies any exceptions; i.e., a control or part of a control that is not or cannot be met and is an accepted risk by the DAO. Exceptions shall also be included in the POA&M.
Approved by the DAO ICW the SCA prior to the plan implementation
Distributes copies of the plan and communicates subsequent changes to the plan to all required stakeholders, to include the DAO
Reviews the security plan at least annually or when required due to system changes or modifications
Updates the plan to address changes to the IS/operations environment or problems identified during plan implementation or security control assessments
Protects the security plan from unauthorized disclosure and modification
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.13.2.1 PL-2(3) – System Security Plan: Coordinate with Organization Entities – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization plans and coordinates security-related activities affecting the IS with all relevant organizations or groups before conducting such activities in order to reduce the impact on other organizational entities.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
126
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.13.3 PL-4 – Rules of Behavior
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Rules of Behavior are addressed as part of user security awareness and training. See Security Training [AT-3]. Signed acknowledgement of the rules of behavior is covered via user access agreements. See User Agreements [PS-6]. The rules of behavior are also referred to as the Acceptable Use Policy (AUP). See the DAA PM for a list of the minimum responsibilities of a General User.The organization:Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage
Click here to enter text.
Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system
Click here to enter text.
Reviews and updates the rules of behavior at least annually
Click here to enter text.
Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.13.3.1 PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
127
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.13.4 PL-5 – Privacy Impact Assessment – WITHDRAWN Incorporated into Appendix J, AR-2
10.13.5 PL-6 – Security-Related Activity Planning – WITHDRAWN Incorporated into PL-2
10.13.6 PL-8 – Information Security Architecture– NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
This control can be met through detailed descriptions in the SSP of the system overview, system environment, facility diagram, network architecture, system diagram, and system connectivity.The organization:Develops an information security architecture for the IS that: describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity and availability of organizational information; describes how the IS architecture is integrated into and supports the enterprise architecture; and describes any information security assumptions about, and dependencies on, external services
Click here to enter text.
Reviews and updates the information security at least annually or when changes to the IS or its environment warrant to reflect updates in the enterprise architecture
Click here to enter text.
Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS) (if appropriate), and organizational procurements/acquisitions
Click here to enter text.
Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.13.6.1 PL-8(1) – Information Security Architecture: Defense in Depth – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization designs its security architecture using a defense in depth approach that allocates security safeguards based on security impact to Program IS; and ensures that the allocated security safeguards operate in a coordinated and
128
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
mutually reinforcing manner.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.13.6.2 PL-8(2) – Information Security Architecture: Supplier Diversity – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires that equipment and services to meet the security safeguards based on security impact to Program IS and its operational environment are obtained from different suppliers.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
129
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.14 PERSONNEL SECURITY (PS)10.14.1 PS-1 – Personnel Security Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
10.14.2 PS-2 – Position Categorization
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Access to individual Programs will be managed IAW NISPOM). Positions will be reviewed annually or as policy and procedures dictate changes are required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.14.3 PS-3 – Personnel Screening
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall ensure that every user accessing an IS processing, storing, or transmitting types of classified information which require formal indoctrination, is formally indoctrinated for all information for which the user is authorized access.The organization:
Screens individuals prior to authorizing access to the information system
Click here to enter text.
Rescreens individuals according to personnel security guidelines defined
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.14.3.1 PS-3(1) – Personnel Screening: Classified Information (+ Classified Overlay)Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
130
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Common System Specific Hybrid (Common and System Specific)
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system. Reference DoDM 5205.07-V2.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.14.3.2 PS-3(3) – Personnel Screening: Information With Special Protection Measures (+ Privacy Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that individuals accessing an IS processing, storing or transmitting information requirement special protection: (a) have valid access authorizations that are demonstrated by assigned official government duties; and (b) satisfy any organizationally-required background screenings.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.14.4 PS-4 – Personnel Termination (+ Classified)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
When any system user (to include privileged and non-privileged users) leaves the organization due to employment termination (whether voluntary of involuntary) or retirement, the responsible for user account management must ensure all system accesses are removed. This includes notifying other organizations that may have granted system accesses (for example, collateral systems access, database access managed by another agency or organization, etc.). Notification of an employee’s termination is the responsibility of the organization. The organization must also ensure that information deemed to be of value is retained before the departing user’s accounts are archived and removed. The property custodian must retrieve any equipment issued to the departing individual, such as laptops or PEDs. The loss of security clearance or formal access approval (through de-briefing, suspension or revocation) requires immediate deactivation of all accounts associated with the individual.The organization, upon termination of an individual:Disables information system access within 24 hours Click here to enter text.
Terminates/revokes any authenticators/credentials associated with the individual
Click here to enter text.
131
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Conducts exit interviews that include a discussion of any prohibitions regarding the information obtained during the employment
Click here to enter text.
Retrieves all security-related organizational information system-related property
Click here to enter text.
Retains access to organizational information and information systems formerly controlled by terminated individual
Click here to enter text.
Notifies the immediately upon termination Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.14.4.1 PS-4(1) – Personnel Termination: Post-Termination Requirements (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization (a) notified termination individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and (b) requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.14.5 PS-5 – Personnel Transfer
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Notify other organizations that may have granted system accesses (for example, collateral systems access, database access managed by another agency or organization) of the individual’s transfer or reassignment. Notification of an employee’s transfer or reassignment shall be documented as the responsibility of the employee’s supervisor or Human Resources. The property custodian must determine whether any equipment issued to the individual, such as laptops or PEDs, should be retrieved or transferred to another property account. Reference AC-2 for additional requirements.The organization, upon transfer of an individual:
Reviews and confirms any ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the
Click here to enter text.
132
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
organization
Initiates reassignment actions to ensure all system access no longer required (need to know) are removed or disabled within 10 working days
Click here to enter text.
Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer
Click here to enter text.
Notifies the ISSM as soon as possible Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.14.6 PS-6 – Access Agreements
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
All users are required to read and sign a Standard Mandatory Notice and Consent provision for all IS, (i.e., General User Access Agreement and Acknowledgement of Responsibilities) prior to being granted access to information systems. In addition, privileged users are required to read and sign a Privileged User Access Agreement and acknowledgement of Responsibilities prior to being granted elevated privileges to IS and applications. These agreements must be reviewed and updated upon account creation, user transfer or user termination. Organizations may add additional requirements to the agreement provided they do not conflict with the official verbiage. See Account Management [AC-2] for additional information on user roles and responsibilities.
The User Access Agreement shall be retained by the ISSM for a minimum of two (2) years after access is removed. Organizations shall ensure that access to any information with special protection measures is granted only to individuals who:
• Have a valid access authorization that is demonstrated by assigned official government duties.• Satisfy associated personnel security criteria consistent with applicable federal laws, EOs, directives, policies,
regulations, standards, and guidance.• Have read, understand, and signed a nondisclosure agreement (if applicable).
Information with special protection measures includes, for example, privacy information, proprietary information, and Sources and Methods Information (SAMI).The organization:
Develops and documents access agreements for organizational information systems
Click here to enter text.
Reviews and updates access agreements at least annually
Click here to enter text.
Ensures that individuals requiring access to organization information and IS: sign appropriate access agreements prior to being granted access; re-sign access agreements to maintain access to organization IS when access agreements have been update or at least annually
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
133
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.14.6.1 PS-6(1) – Access Agreements: Information Requiring Special Protection – WITHDRAWN Incorporated into PS-3
10.14.6.2 PS-6(2) – Access Agreements: Classified Information Requiring Special Protection (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization ensures that access to classified information requiring special protection is granted only to individuals who (a) have a valid access authorization that is demonstrated by assigned official government duties; (b) satisfy associated personnel security criteria; and (c) have read, understood, and signed a nondisclosure agreement.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.14.6.3 PS-6(3) – Access Agreements: Post-Employment Requirements (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization (a) notifies individuals of applicable, legally-binding post-employment requirements for protection of organizational information; (b) requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.14.7 PS-7 – Third-Party Personnel Security
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The term “third party” as it relates to personnel security and contracts is not frequently used in DoD. If a third-party situation seems to apply, contact the AO and/or contracting representative for clarification and guidance. For ARMY: ensure
134
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
DSS contacted if appropriate.The organization:
Establishes personnel security requirements including security roles and responsibilities for third-party providers
Click here to enter text.
Requires third-party providers to comply with personnel security policies and procedures established by the organization
Click here to enter text.
Documents personnel security requirements Click here to enter text.
Requires third-party providers to notify the organization of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges as soon as possible, but not to exceed 1 working day
Click here to enter text.
Monitors provider compliance Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.14.8 PS-8 - Personnel Sanctions Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
All instances where an individual fails to comply with established information security policies and procedures will be treated as security incidents .The organization:
Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures
Click here to enter text.
Notifies the appropriate organizations as soon as possible when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
135
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.15 RISK ASSESSMENT (RA)10.15.1 RA-1 – Risk Assessment Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
10.15.2 RA-2 – Security Categorization
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The ISSM shall work with Program in determining the appropriate security categorization as part of the initial preparatory actions prior to selecting and tailoring the security controls.The organization:
Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, and directives, policies, regulations, standards, and guidance
Click here to enter text.
Documents the security categorization results (including supporting rationale) in the SSP for the information system
Click here to enter text.
Ensures that the security categorization decision is reviewed by the SCA and approved by the AO/AO-Representative
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.15.3 RA-3 – Risk Assessment
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The Risk Assessment Report (RAR) is part of the required Body of Evidence (BoE) provided to the DAO as the basis of the authorization to operate decision. The RAR should be initiated prior to or during Step 1, Security Categorization.The organization:
Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits
Click here to enter text.
Documents risk assessment results in the Risk Click here to enter text.
136
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Assessment Report (RAR)
Reviews risk assessment results at least annually Click here to enter text.
Disseminates risk assessment results to the SCA for initial review and to the AO/AO-Representative for final approval
Click here to enter text.
Updates the risk assessment at least annually or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.15.4 RA-5 – Vulnerability ScanningRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information revealing specific vulnerabilities (other than the known vulnerabilities of widely available commercial products) and the compiled results of vulnerability analyses for systems shall be classified in accordance with the Program SCG.Organizations shall use vulnerability assessment tools, such as the SCAP Security Scanner (SCC) with current benchmarks. The ISSM/ISSO shall analyze vulnerability scans to determine true vs. false positives. True vulnerabilities identified as part of a scan shall be added to the POA&M.The organization:
Scans for vulnerabilities in the information system and hosted applications at least quarterly and when new vulnerabilities potentially affecting the system/applications are identified and reported
Click here to enter text.
Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact
Click here to enter text.
Analyzes vulnerability scan reports and results from security control assessments
Click here to enter text.
Remediates legitimate vulnerabilities based on guidance provided by the IAVM Program or AO in accordance with an organizational assessment of risk
Click here to enter text.
Shares information obtained from the vulnerability scanning process and security control assessments with the AO/AO-Representative and the SCA to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)
Click here to enter text.
137
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Updates the POA&M with true vulnerabilities identified during scanning
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.15.4.1 RA-5(1) – Vulnerability Scanning: Update Tool CapabilityRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.15.4.2 RA-5(2) – Vulnerability Scanning: Update by Frequency/Prior to New Scan/When Identified
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization updates the information system vulnerabilities scanned as new automated tool scripts are issued; within 30 days prior to running scans; prior to a new scan; when new vulnerabilities are identified and reported. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.15.4.3 RA-5(4) – Vulnerability Scanning: Discoverable InformationRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
138
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
The organization determines what information about the information system is discoverable by adversaries and subsequently documents the information, determines potential risk, and takes corrective action to mitigate the vulnerabilities.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.15.4.4 RA-5(5) – Vulnerability Scanning: Privileged AccessRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall provide privileged access authorization to all systems and infrastructure components for vulnerability scanning activities to facilitate more thorough scanning.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.15.4.5 RA-5(7) – Vulnerability Scanning: Automated Detection and Notification of Unauthorized Components – WITHDRAWN Incorporated into CM-8
10.15.5 RA-6 – Technical Surveillance Countermeasures Survey (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs a technical surveillance countermeasures survey at their facilities as required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
139
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16 SYSTEM AND SERVICES ACQUISITION
10.16.1 SA-1 – System and Services Acquisition Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
10.16.2 SA-2 – Allocation of Resources
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
As applicable, Statements of Work (SOW) will include a DD Form 254 and address contractor-related security issues including, but not limited to:
Personnel security. Physical security. Information systems in support of the contract. TEMPEST requirements. Applicable security regulations. Defense Federal Acquisition Regulation (DFAR) clause mandating personnel performing IA functions is certified
under DoDD 8570.01, Information Assurance (IA) Training, Certification, and Workforce Management, and DoD 8570.01-M.
A Government official, either the ISSE/IASAE or DAO/designee, will coordinate with the Program on these specific requirements depending upon the particular acquisition.The organization:
Determines information security requirements for the IS or IS service in mission/business process planning
Click here to enter text.
Determines, documents, and allocates the resources required to protect the IS or IS service as part of its capital planning and investment control process
Click here to enter text.
Establish a discrete line item for information security in organizational programming and budgeting documentation
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.3 SA-3 – System Development Life Cycle
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
140
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Manages information systems using an SDLC methodology that incorporates information security considerations
Click here to enter text.
Defines and documents information security roles and responsibilities throughout the SDLC
Click here to enter text.
Identify individuals having information security roles and responsibilities
Click here to enter text.
Integrate the organizational information security risk management process into system development life cycle activities
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.4 SA-4 – Acquisition Process
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the IS, system component, or IS service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational business/mission needs: a. Security functional requirements; b. Security strength requirements; c. Security assurance requirements; d. Security-related documentation requirements; e. Requirements for protecting security-related documentation; f. Description of the IS development environment and environment in which the system is intended to operate; and g. Acceptance criteria.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.4.1 SA-4(1) – Acquisition Process: Functional Properties of Security Controls – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires the developer of the IS, system component, or the IS service to provide a description of the functional properties of the security controls to be employed. The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the functional properties of the security controls employed within information systems with sufficient detail to permit analysis and testing.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
141
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16.4.2 SA-4(2) – Acquisition Process: Design/Implementation Information for Security Controls (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires the developer of the IS, system component, or IS service to provide design and implementation information for the security controls to be employed that includes: security-relevant external system interfaces; high level design; source code or hardware schematics and other system or service specific implementation information at a sufficient level of detail.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.4.3 SA-4(6) – Acquisition Process: Use of Information Assurance Products (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization shall employ only GOTS or COTS IA and IA-enabled IT products that compose an NSA-approved solution to protect classified information when the system(s)/networks used to process, store, and/or transmit the information are at a lower classification level than the information being transmitted (i.e., tunneling) [SA-4(6) (a)], ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.4.4 SA-4(7) – Acquisition Process: NIAP Approved Protection Profiles – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization (a) limits the use of commercially provided IA and IA-enabled IT products to those products that have been successfully evaluated against a National Information Assurance Partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; (b) Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided IT products relies on cryptographic functionality to enforce its security policy, that the
142
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
cryptographic module is FIPS-validated.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.4.5 SA-4(9) – Acquisition Process: Functions/Ports/Protocols/Services in Use – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires the developer of the IS, system component, or IS service to identify early in the SDLC, the functions, ports, protocols, and services intended for organizational use. This allows the organization the opportunity to influence the design of the IS, IS component or IS service to prevent unnecessary risks.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.4.6 SA-4(10) – Acquisition Process: Use of Approved PIV Products (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs only IT products on the FIPS 201-approved products list for Personally Identify Verification (PIV) (aka CAC) capability implemented within organization information systems.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.5 SA-5 – Information System DocumentationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
143
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
Obtain administrator documentation for the IS, IS component, or IS service that describes: (1) Secure configuration, installation, and operation of the information system; (2) Effective use and maintenance of security features/functions; and (3) Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.
Click here to enter text.
Obtain user documentation for he IS, IS component, or IS service that describes: (1) User-accessible security features/functions and how to effectively use those security features/functions; (2) Methods for user interaction with the information system, which enables individuals to use the system in a more secure manner (e.g. training materials, user guides, Standard Operating Procedures); (3) User responsibilities in maintaining the security of the information and information system
Click here to enter text.
Document attempts to obtain IS, IS component, or IS service documentation when such documentation is either unavailable or nonexistent
Click here to enter text.
Protects documentation as required, in accordance with the risk management strategy
Click here to enter text.
Distributes documentation to stakeholders Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.5.1 SA-5 (1) – Information System Documentation: Functional Properties of Security Controls – WITHDRAWN Incorporated into SA-4(1)
10.16.5.2 SA-5(2) – Information System Documentation: Security Relevant External System Interfaces – WITHDRAWN Incorporated into SA-4(2)
10.16.6 SA-6 - Software Usage Restrictions – WITHDRAWN Incorporated into CM-10 and SI-7
10.16.7 SA-7 – User-Installed Software – WITHDRAWN Incorporated into CM-11 and SI-7
10.16.8 SA-8 – Software Engineering Principles
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall apply information system security engineering principles in the specification, design, development, implementation, and modification of information systems. Examples of security engineering principles include, but are not
144
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
limited to: Developing layered protections; Establishing sound security policy, architecture, and controls as the foundation for design; Incorporating security into the SDLC; Delineating physical and logical security boundaries; Ensuring system developers and integrators are trained on how to develop secure software; Tailoring security controls to meet organizational and operational needs; Reducing risk to acceptable levels, thus enabling informed risk management decisions .
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.9 SA-9 – External Information System Services (- Standalone and CRN Overlay)After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks. Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
External Information System services are service that are implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system). Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges. The responsibility for adequately mitigating risks arising from the use of External Information System services remains with the AO. When a sufficient level of trust cannot be established in the external services and/or service providers, the organization shall employ compensating security controls or accept the greater degree of risk.The organization:
Require that providers of External Information System services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, EOs, directives, policies, regulations, standards, and guidance
Click here to enter text.
Defines and documents government oversight and user roles and responsibilities with regard to External Information System services
Click here to enter text.
Employs appropriate processes and/or technologies to monitor security control compliance by external service providers on an ongoing basis.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.9.1 SA-9(1) – External Information System Services: Risk Assessment/Organizational Approvals (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
145
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization (a) conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures the acquisition or outsourcing of dedicated information security services is approved as defined at the system or program level. Organizations should ensure that individuals with the regulatory and organizational authority to outsource services conduct full scope risk assessments and ensure that appropriate individuals are involved in this decision. This approval line can be reserved for CIO, AO, or contracting officer as appropriate based on an organization’s structure. Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.9.2 SA-9(2) – External Information System Services: Identification of Functions/Ports/Protocols/Services – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks. Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires providers of all external information systems and services to identify the functions, ports, protocols, and other services required for the use of such services.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.9.3 SA-9(5) – External Information System Services: Processing, Storage, and Service Location (+ Privacy Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization restricts the location of classified or sensitive information processing, information/data storage, or IS services to locations approved for such processing and to appropriately cleared and access individuals.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
146
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16.10 SA-10 – Developer Configuration ManagementRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
This control also applies to organizations conducting internal information systems development and integration. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation.The organization shall require that IS developers/integrators of the IS, system component of IS service to:
Perform configuration management during IS, system component of IS service design development, implementation and operation
Click here to enter text.
Document, manage, and control the integrity of changes to IS, system component of IS services
Click here to enter text.
Implement only organization-approved changes to the IS, system component of IS service
Click here to enter text.
Document approved changes to the IS, system component of IS service and the potential security impacts of such changes
Click here to enter text.
Track security flaws and flaw resolution within the IS, system component of IS service and report findings to the ISSM/ISSO
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.10.1 SA-10(1) – Developer Configuration Management: Software/Firmware Integrity Verification
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires the developer of the IS, system component, or IS service to enable integrity verification of software and firmware components.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
147
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16.11 SA-11 – Developer Security Testing and Evaluation Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Security testing and evaluation will be conducted in consultation with security personnel (e.g., ISSM/ISSO). An objective of the flaw remediation process is to correct weaknesses and deficiencies identified during the security testing and evaluation process.The organization requires the developer of the IS, system component, or information system service to:
Create and implement a security assessment plan Click here to enter text.
Perform the appropriate type of testing/evaluation (e.g., unit, integration, system, regression)
Click here to enter text.
Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation
Click here to enter text.
Implement a verifiable flaw remediation process Click here to enter text.
Document the results of the security testing/evaluation and flaw remediation processes
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.12 SA-12 – Supply Chain ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall conduct a due diligence review of suppliers prior to entering into contractual agreements to acquire information system hardware, software, firmware, or services, including a review of supplier claims with regard to the use of appropriate security processes in the development and manufacture of IS components or products.Organizations protects against supply chain threats to the IS, system component, or IS service by employing security safeguards in accordance with CNSSD No. 505, Supply Chain Risk Management as part of a comprehensive, defense-in-breadth information security strategy.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.13 SA-15 – Development Process, Standards and Tools – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring:
148
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization::
Requires the developer if the IS, system component, or IS service to follow a documented process that: (1) explicitly addresses security requirements; (2) identifies the standards and tools used in the development process; (3) documents the specific tool options and tool configuration used in the development process; and (4) documents, manages, and ensures the integrity of changes to the process and/or tools used in the development
Click here to enter text.
Reviews the development process, standards, tools, and tool options/configurations regularly but no less than annually to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy organizational security requirements
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.13.1 SA-15(9) – Development Process, Standards and Tools: Use of Live Data (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization approves, documents, and controls the use of live data in development and test environments for the IS, system component, or IS service.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.14 SA-17 – Developer Security Architecture and Design– NEWRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization requires the developer of the IS, system component, or IS service to produce a design specification and security architecture that:
149
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture
Click here to enter text.
Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components
Click here to enter text.
Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.16.15 SA-19 – Component Authenticity – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization::
Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the IS
Click here to enter text.
Reports counterfeit IS components to ASPD and the CIO/G-6 in accordance with AR 380-381
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
150
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17 SYSTEMS AND COMMUNICATIONS PROTECTION (SC)10.17.1 SC-1 – Systems and Communications Protection Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
10.17.2 SC-2 – Application Partitioning (+ Classified Overlay) (- Standalone)After a relevance determination, this control can be tailored out for standalone IS. Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Application partitioning is separating an application physically or logically into components that run on multiple servers. This provides additional security by separating specific IS management from general user functionality, as well as load balancing across the enterprise.The IS separates user functionality (including user interface services) from information system management functionality.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.3 SC-3 – Security Function Isolation (+ Classified Overlay) – NEW Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS isolates security function from non-security functions. The information system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains). Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.4 SC-4 – Information in Shared Resources (-Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS with a single user.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
151
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
This prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.The IS prevents unauthorized and unintended information transfer via shared system resources.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.5 SC-5 – Denial of Service Protection (- Standalone and CRN Overlay)After a relevance determination, this control can be tailored out for standalone IS and CRNs. Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.The IS protects against or limits the effects of denial of service attacks.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.6 SC-5(1) – Denial of Service Protection: Restrict Internal Users (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Protection against individuals having the ability to launch denial of service attacks may be implemented on specific information systems or on boundary devices prohibiting egress to potential target systems.The IS restricts the ability of individuals to launch denial of service attacks against other IS.
Click here to enter text.
152
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7 SC-7 – Boundary Protection (- Standalone and CRN Overlay)After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
This requirement also applies to ports, protocols, and services. Information systems, in conjunction with the environment in which they are installed, shall: • Provide for remote access only for an authorized, specific purpose (for example, to provide email access for a guest agency’s employee via a VPN). The remote connection must be restricted to approved purposes. Authorized remote access shall not enable the user to communicate as an extension of the IS or to communicate with local resources such as a printer or file server unless explicitly authorized by the AO. • Route specific internal communications traffic through authenticated proxy servers within the managed interfaces of boundary protection devices, (e.g., as defined in DoDI 8551.1, Ports, Protocols, and Services Management (PPSM), and DISA STIGs), to external networks (i.e., networks outside the control of the organization). The list of traffic to be routed through managed interfaces may be augmented with service/agency or site-specific requirements and approved by the AO or designee. • Use private/non-publicly routable IP addresses for isolated LANs. • Host-based boundary protection mechanisms shall be employed on mobile devices, (e.g.,notebook/laptop computers and other types of mobile devices) where boundary protection mechanisms are available. This typically applies when your internal network has classification or access levels that differ.The information system:
Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system
Click here to enter text.
Implements subnetworks for publicly accessible system components that are physically and logically separated from internal organizational networks
Click here to enter text.
Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.1 SC-7(3) – Boundary Protection: Access Points (- Standalone and CRN Overlay)After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
153
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
The organization:Limits the number of external network connections to the information system and prevents public access into the organization’s internal networks except as allowed by managed interfaces employing boundary protection devices. This control generally applies when the system is connected to unclassified system.Physically allocate publicly accessible information system components to separate sub-networks with separate physical network interfaces. Publicly accessible information system components include, for example, public web servers.Limits the number of access points to information systems under their purview to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.2 SC-7(4) – Boundary Protection: External Telecommunications Services (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic flow policy for each managed interface; (c) Protects the confidentiality and integrity of information being transmitted across each interface; (d) Documents exceptions to the traffic flow policy with a supporting mission/business need and the duration of that need in the SSP; (e) Reviews exceptions to the traffic flow policy at least annually; Eliminates traffic flow policy exceptions that are no longer required by an explicit mission/business need; and update the SSP accordingly.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.3 SC-7(5) – Boundary Protection: Deny by Default/Allow by Exception (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization at managed interfaces denies network traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). This requirement applies to ports, protocols, and services.
Click here to enter text.
154
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.4 SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote Devices (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.5 SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy Servers (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS routes specific internal communications traffic through authenticated proxy servers within the managed interfaces of boundary protection devices, (e.g. as defined in DoDI 8551.1, Ports, Protocols, and Services Management (PPSM), and DISA STIGs), to external networks (i.e., networks outside the control of the organization). The list of traffic to be routed through managed interfaces may be augmented with Service or site-specific requirements and approved by the DAO or designee.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.6 SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications Traffic (- Standalone and CRN Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
155
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS (a) detects and denies outgoing communications traffic posing a threat to external IS; and (b) audits the identity of internal users associated with denied communications. This is sometimes termed extrusion detection and includes traffic indicative of denial of service attacks and traffic containing malicious code.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.7 SC-7(10) – Boundary Protection: Prevent Unauthorized Exfiltration (- Standalone and CRN Overlay)
This control is required for IS that process, store or transmit SCI.After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization prevents the unauthorized exfiltration of information across managed interfaces.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.8 SC-7(11) – Boundary Protection: Restrict Incoming Communications Traffic (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS only allows incoming traffic from authorized sources routed to an authorized destination.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
156
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.7.9 SC-7(12) – Boundary Protection: Host-Based Protection (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization implements host-based boundary protection mechanisms (e.g., a host-based firewall) for servers, workstations, and mobile devices. Host-based boundary protection mechanisms shall be employed on mobile devices, (e.g., notebook/laptop computers and other types of mobile devices) where boundary protection mechanisms are available. This typically applies when the internal network has classification or access levels that differ.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.10 SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support Components (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization isolates, at a minimum, vulnerability scanning tools, audit log servers, patch servers, and CND tools from other internal information system components via physically separate subnets with managed interfaces to other system or network components.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.11 SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical Connections (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization protects against unauthorized physical connections at any managed interface that crosses security domains
157
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
or connects to an external network; such as, but not limited to cross domain solutions, a network boundary with a WAN, a partner network, or the Internet.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.7.12 SC-7(17) – Boundary Protection: Automated Enforcement of Protocol Formats After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS enforces adherence to protocol formats. Information system components that enforce protocol formats include, for example, deep packet inspection firewalls and XML gateways. Such system components verify adherence to protocol formats/specifications (e.g., IEEE) at the application layer and identify significant vulnerabilities that cannot be detected by devices operating at the network or transport layers.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.8 SC-8 – Transmission Confidentiality and Integrity (+ Classified)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS protects the confidentiality and integrity of transmitted information. This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). When more than one computer network exists, a color coding scheme shall be developed to assist in the proper handling of classified information. Color coding of cables may be met by any of the following:• Purchasing/making cables with the proper color.• Placing colored tape every five feet along the cable length.• Wrapping tape around the length of the cable run.
When networks are present other than those listed above, a different color must be selected for the network cables to assist in minimizing the risk to classified IS.
Click here to enter text.
158
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.8.1 SC-8(1) – Transmission Confidentiality and Integrity: Cryptographic or Alternate Physical Protection (+ Classified ) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of, and detect changes to, information during transmission unless otherwise protected by alternative physical safeguards such as keeping transmission within physical areas rated IAW the sensitivity of the information or within a Protected Distribution System (PDS) when traversing areas not approved for the sensitivity of the information. This applies to sensitive unclassified information, such as PII, as well as classified information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.8.2 SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission Handling (+ Classified Overlay) (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS maintains the confidentiality and integrity of information during preparation for transmission and during reception.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.8.3 SC-8(3) – Transmission Confidentiality and Integrity: Cryptographic Protection for Message Externals (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
159
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Common System Specific Hybrid (Common and System Specific)
The IS implements cryptographic mechanisms to protect message externals unless otherwise protected by alternative physical or logical safeguards. Message externals include, for example, message headers/routing information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.8.4 SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize Communications (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS implements cryptographic mechanisms to conceal or randomize communications patterns unless otherwise protected by alternative physical or logical safeguards. Communication patterns include, for example, frequency, periods, amount, and predictability. Changes to communications patterns can reveal information having intelligence value especially when combined with other available information related to missions/business functions supported by organizational information systems.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.9 SC-10 – Network Disconnect (- Standalone & CRN Overlay)After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS terminates the network connection associated with a communications session at the end of the session or after no more than one (1) hour of inactivity.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.10 SC-12 – Cryptographic Key Establishment and Management .Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status:
160
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implemented PlannedOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization establishes and manages cryptographic keys for required cryptography employed within the IS in accordance with NSA-approved key management technology and processes.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.10.1 SC-12(2) – Cryptographic Key Establishment and Management/Symmetric Keys (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization produces, controls, and distributes symmetric keys using NSA-approved key management technology and processes.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.10.2 SC-12(3) – Cryptographic Key Establishment and Management/Asymmetric Keys (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization produces, controls, and distributes asymmetric keys using NSA-approved key management technology and processes.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.11 SC-13 – Cryptographic Protection (+ Classified)
161
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS implements using NSA-approved cryptography for protecting classified information from access by personnel who lack the necessary security clearance in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, and standards. To protect classified information organizations shall employ NSA-approved cryptography. Cryptography shall also be used to protect information that must be separated from individuals who have the necessary clearances, but lack the necessary access approvals.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.11.1 SC-13(3) – Cryptographic Protection: Individuals without Formal Access Approvals – WITHDRAWN Incorporated into SC-13
10.17.12 SC-14 – Public Access Protections WITHDRAWN Incorporated into multiple controls
10.17.13 SC-15 – Collaborative Computing Devices (- Standalone & CRN Overlay)After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Collaborative computing devices include, but are not limited to, VTC, VoIP telephones, VVoIP, networked white boards, video cameras, and microphones. All collaborative computing devices must be approved by the AO. In addition, all collaborative computing equipment, collateral, or unclassified information systems or networks must be approved by the AO prior to introduction into the facility.Additional requirements include:
Camera lenses shall be covered with an opaque covering when the camera is not in use. No systems, documents, or media of higher classification may be displayed or in view of the camera.
Microphones must have a mute or hold capability (e.g., on/off switch) and should have a push to talk button (implemented in hardware or software).
While conducting a collaborative computing session, users shall take all reasonable measures to ensure that no unintended information is made audible or visible via the collaborative computing device. Users shall advise all personnel in the immediate area that the collaborative computing device will be operating and shall sanitize all sensitive material/systems that may be in view of the collaborative computing device.
Users shall not leave the collaborative computing device unattended while a session is in progress. Once the collaborative session is completed, the user shall take explicit action to disconnect/terminate the collaborative computing device.
Desktop level collaborative computing devices may use external loud speakers/amplified sound only if they are installed within a closed room with walls that meet the requirement of DoDM 5205.07-V3, otherwise a headset must be used.
Microphones must be used in such a way to ensure no unintended conversations are picked up and transmitted outside the facility. This may be accomplished by using microphones in enclosed offices, or by ensuring no other
162
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
higher classified discussions occur in the area when the microphone is in use.The information system:Prohibits remote activation of collaborative computing devices with no exceptions
Click here to enter text.
Provides an explicit indication of use to users physically present at the devices
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.13.1 SC-15(2) – Collaborated Computing Devices: Blocking Inbound/Outbound Communications Traffic WITHDRAWN Incorporated into SC-7
10.17.13.2 SC-15(3) – Collaborative Computing Devices: Disabling/Removal in Secure Work Areas (+ Classified Overlay) (- Standalone & CRN Overlay) – NEW
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization disables or removes collaborative computing devices from organizationally-identified IS or IS components in specified secure work areas.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.14 SC-17 – Public Key Infrastructure Certificates (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization issues public key certificates under the organizationally-defined certificate policy or obtains public key certificates from an approved service provider. This requirement addresses certificates with visibility external to the information system and certificates related to internal system operations.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.15 SC-18 – Mobile CodeRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
163
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Mobile code is software obtained from remote systems outside the system authorization boundary, transferred across a network, and then downloaded and executed on a local system (e.g., a computer with a web browser) without explicit installation or execution by the recipient. ‘Transferred across a network’ includes transfers via media, aka sneakernet.See the DAA PM security control SC-18 for additional definition of mobile code.The organization:Defines acceptable and unacceptable mobile code and mobile code technologies
Click here to enter text.
Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies
Click here to enter text.
Authorizes, monitors, and controls the use of mobile code within the information system
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.15.1 SC-18(1) – Mobile Code: Identify Unacceptable Code/Take Corrective ActionsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS identifies unacceptable mobile code and takes corrective action. Corrective actions when unauthorized mobile code is detected include, for example, blocking, quarantine, or alerting the SA. Disallowed transfers include, for example, sending word processing files with embedded macros.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.15.2 SC-18(2) – Mobile Code: Acquisition/Development/UseRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
164
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
The organization ensures that the acquisition, development and use of mobile code to be deployed in the information system meets mobile code requirements, usage restrictions, and implementation guidance for acceptable mobile code and mobile code technologies as follows:
Category 1 mobile code shall be signed by a trusted Certificate Authority. Use of unsigned Category 1 mobile code is prohibited. Use of Category 1 mobile code technologies that cannot block or disable unsigned mobile code (e.g., Windows Scripting Host) is prohibited.
Category 2 mobile code which executes in a constrained environment without access to system resources (e.g., Windows registry, file system, system parameters, and network connections to other than the originating host) may be used. Category 2 mobile code which does not execute in a constrained environment may be used when obtained from a trusted source over an assured channel (e.g., JWICS, SIPRNet, SSL connection, S/MIME) or when signed with an approved code signing certificate.
Category 3 mobile code may be used.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.15.3 SC-18(3) – Mobile Code: Prevent Downloading/ExecutionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS prevents the download and execution of prohibited mobile code.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.15.4 SC-18(4) – Mobile Code: Prevent Automatic ExecutionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS prevents the automatic execution of prohibited mobile code prior to executing the code.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.16 SC-19 – Voice over Internet Protocol (VoIP) (- Standalone & CRN Overlay)After a relevance determination, this control can be tailored out for standalone IS and CRNs.
165
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Organizations shall ensure VoIP technologies are implemented with DAO and approval. The organization shall further ensure:VoIP telephone instruments shall have a “Consent to Monitor” label (e.g. DD Form 2056) or banner and an appropriate classification label or banner. VoIP telephone instruments must be used in such a way to ensure no unintended conversations are picked up and transmitted outside the facility. This may include use in an enclosed office, or ensuring no other higher classified discussions occur in the area when the VoIP telephone is in use.The organization:Establishes usage restrictions and implementation guidance for VoIP technologies based on the potential to cause damage to the IS if used maliciously
Click here to enter text.
Authorizes, monitors and controls the use of VoIP within the IS.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.17 SC-20 – Secure Name/Address Resolution Service (Authoritative Source) (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
A Domain Name System (DNS) server is an example of an information system that provides name/address resolution service.The information system:Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries
Click here to enter text.
Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
166
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.17.1 SC-20(1) – Secure Name/Address Resolution Service (Authoritative Source): Child Subspaces WITHDRAWN Incorporated into SC-20
10.17.18 SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver) (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.19 SC-22 – Architecture and Provisioning for Name/Address Resolution Service (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS that collectively provide name/address resolution service for an organization shall be fault-tolerant and implement internal/external role separation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.20 SC-23 – Session Authenticity (- Standalone Overlay)After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS protects the authenticity of communications sessions. This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes
167
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.20.1 SC-23(1) – Session Authenticity: Invalidate Session Identifiers at Logout (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system invalidates session identifiers upon user logout or other session termination.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.20.2 SC-23(2) – Session Authenticity: User Initiated Logouts/Message Displays WITHDRAWN Incorporated into AC-12(1)
10.17.20.3 SC-23(3) – Session Authenticity: Unique Session Identifies with Randomization (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system generates a unique session identifier for each session and recognizes only session identifiers that are system-generated.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.20.4 SC-23(5) – Session Authenticity: Allowed Certificate Authorities (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
168
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system only allows the use of defined certificate authorities for verification of the establishment of protected sessions.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.21 SC-28 – Protection of Information at Rest
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information at rest refers to the state of information when it is located on a non-volatile device (e.g., hard drive, tapes) within an information system. laptop hard drives must be encrypted using either Bitlocker or other DAO-approved encryption technology and must be labeled with “authorized/not authorized for travel” and “compliant with DAR policy.”Information systems shall protect the confidentiality and integrity of information at rest.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.21.1 SC-28(1) – Protection of Information at Rest: Cryptographic Protection (+Classified)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS implements DoD/NSA approved cryptographic mechanisms to prevent unauthorized disclosure and modification of data at rest, to include mobile devices, CDs and other removable media (e.g., USB hard drives).
Click here to enter text.
169
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.22 SC-38 – Operations Security – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs OPSEC safeguards to protect key organizational information throughout the system development life cycle.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.23 SC-39 – Process Isolation – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS maintains a separate execution domain for each executing process.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.24 SC-42 – Sensor Capability and Data (+ Classified Overlay) – NEWRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
This control often applies to types of information systems or system components characterized as mobile devices, for example, smart phones, tablets, and E-readers. These systems often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include, for example, cameras, microphones, Global Positioning System (GPS) mechanisms, and accelerometers.The information system:Prohibits the remote activation of environmental sensing capabilities unless determined to be essential for mission
Click here to enter text.
170
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
execution
Provides an explicit indication of sensor use Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.17.24.1 SC-42(3) – Sensor Capability and Data: Prohibit Use of Services (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization prohibits the use of devices possessing environmental sensing capabilities within facilities.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
171
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18 SYSTEM AND INFORMATION INTEGRITY (SI)10.18.1 SI-1 – System and Information Integrity Policy and ProceduresProgram-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Control: The organization:
a. Develops, documents, and disseminates to all personnel:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy every 5 years; and
2. System and information integrity procedures at least annually.
172
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18.2 SI-2 – Flaw RemediationRecommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Flaw remediation refers to software patch management. Patch management is the systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions.Organizations shall:• Ensure system/network administrators routinely review vendor sites, bulletins, and notifications and proactively update information systems with fixes, patches, definitions, service packs, or implementation of vulnerability mitigation strategies with ISSM approval.• Employ automated patch management tools on all components to the maximum extent supported by available tools to facilitate flaw remediation.By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates.The organization:Identifies, reports and corrects IS flaws Click here to enter text.
Tests software updates related to flaw remediation for effectiveness and potential side effects on organizational information systems before installation
Click here to enter text.
Installs security-relevant software and firmware updates within thirty (30) days of release of the updates
Click here to enter text.
Incorporates flaw remediation into the organizational configuration management process
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.2.1 SI-2(1) – Flaw Remediation: Central Management – NEW BASELINERecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization centrally manages the flaw remediation process.
Click here to enter text.
173
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.2.2 SI-2(2) – Flaw Remediation: Automated Flaw Remediation StatusRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs automated scans at least quarterly to determine the state of information system components with regard to flaw remediation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.2.3 SI-2(3) – Flaw Remediation: Time to Remediate Flaws/Benchmarks for Corrective Actions (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization shall measure the time between flaw identification and flaw remediation, comparing with a local historical development of benchmarks, if available.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.2.4 SI-2(4) – Flaw Remediation: Automated Patch Management Tools WITHDRAWN Incorporated into SI-2
10.18.2.5 SI-2(6) – Flaw Remediation: Removal of Previous Versions of Software/Firmware – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
174
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
The organization removes previous versions of software and/or firmware components after updated versions have been installed.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.3 SI-3 – Malicious Code ProtectionRecommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code
Click here to enter text.
Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures
Click here to enter text.
Configures malicious code protection mechanisms to:(a) Perform periodic scans of the information system at least weekly and real-time scans of files from external sources at endpoints and network entry/exit points as files are downloaded, opened, or executed in accordance with organizational security policy; (b) Block and quarantine malicious code and send an alert to the system administrator in response to malicious code detection
Click here to enter text.
Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.3.1 SI-3(1) – Malicious Code Protection: Central Management (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
175
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
The organization centrally manages malicious code protection mechanisms, e.g. client/server antivirus model, records of malicious code protection updates; information system configuration settings and associated documentation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.3.2 SI-3(2) – Malicious Code Protection: Automatic Updates (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS automatically updates malicious code protection mechanisms (including signature definitions), i.e. after updates are installed to the server.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.3.3 SI-3(10) – Malicious Code Protection: Malicious Code Analysis – NEW BASELINE
Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization (a) employs specific tools and techniques to analyze the characteristics and behavior of malicious code; and (b) incorporates the results from the analysis into organizational incident response and flaw remediation processes.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4 SI-4 – Information System Monitoring .Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
176
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
Monitors the information system to detect: (1) Attacks and indicators of potential attacks in accordance with the Service or Activity policy and (2) Unauthorized local, network, and remote connections;
Click here to enter text.
Identifies unauthorized use of the information system through User Activity Monitoring tools, such as InTrust
Click here to enter text.
Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization
Click here to enter text.
Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion
Click here to enter text.
Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information
Click here to enter text.
Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations
Click here to enter text.
Provides information as needed to designated personnel Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.1 SI-4(1) – Information System Monitoring: System-Wide Intrusion Detection System (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system (IDS).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
177
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18.4.2 SI-4(2) – Information System Monitoring: Automated Tools for Real-Time Analysis (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
To the extent possible, the organization employs automated tools to support near real-time analysis of events.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.3 SI-4(4) – Information System Monitoring: Inbound and Outbound Communications Traffic (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.To the extent possible, the information system shall monitor inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.4 SI-4(5) – Information System Monitoring: System Generated Alerts (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system alerts the ISSM/ISSO when the following indications of compromise or potential compromise occur:
178
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
audit record deletion or modification, alerts from malicious code detection mechanisms, intrusion detection or prevention mechanisms, boundary protection mechanisms such as firewalls, gateways, and routers.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.5 SI-4(10) – Information System Monitoring: Visibility of Encrypted Communications (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization makes provisions so that Program-related encrypted communications traffic is visible to deployed IS monitoring tools.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.6 SI-4(11) – Information System Monitoring: Analyze Communications Traffic Anomalies (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization analyzes outbound communications traffic at the external boundary of the IS and selected subnetworks/subsystems to discover anomalies. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.7 SI-4(12) – Information System Monitoring: Automated Alerts (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status:
179
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implemented PlannedOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: at a minimum, unauthorized system access attempts, unauthorized system usage. Email or security dashboard alerts meet the intent of this control and can be set up to summarize user unauthorized access attempts to files or authentication failures.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.8 SI-4(14) – Information System Monitoring: Wireless Intrusion Detection (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization employs a capability, such as a wireless IDS, to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to information systems.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.9 SI-4(15) – Information System Monitoring: Wireless to Wireline Communications (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
If appropriate, the organization shall employ an IDS to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
180
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18.4.10 SI-4(16) – Information System Monitoring: Correlate Monitoring Information (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
To the extent possible, the organization shall correlate information from monitoring tools employed throughout the information system to achieve organization-wide situational awareness. This control supports insider threat mitigation.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.11 SI-4(19) – Information System Monitoring: Individuals Posing Greater Risk (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization implements additional monitoring measures of individuals who have been identified by organization and/or other authorized sources as posing an increased level of risk. Indications of increased risk from individuals can be obtained from a variety of sources including, for example, human resource records, intelligence agencies, law enforcement organizations, and/or other credible sources. The monitoring of individuals is closely coordinated with management, legal, security, and human resources officials within organizations conducting such monitoring and complies with federal legislation, Executive Orders, policies, directives, regulations, and standards.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.12 SI-4(20) – Information System Monitoring: Privileged User – NEW BASELINERecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization implements additional monitoring or privileged users. Additional monitoring may be instituted as part of a new-user policy, upon notice of personnel termination (e.g., user gives two weeks’ notice), or the result of incident response. This control may be implemented and defined at the time of incident. Example: Following an incident related to
181
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
incorrect marking, the GSSO/institutes probationary period of 30 days during which time a designated security person reviews all documents produced by the individual.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.13 SI-4(21) – Information System Monitoring: Probationary Periods (+ Classified Overlay) - NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization implements additional monitoring of individuals during probationary periods.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.14 SI-4(22) – Information System Monitoring: Unauthorized Network Services (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Information system detects network services that have not been authorized or approved by defined authorized or approval processes and audits and/or alerts the ISSM/ISSO.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.4.15 SI-4(23) – Information System Monitoring: Host-Based Devices (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
182
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization implements host-based monitoring at identified IS components. This includes monitoring, for example, of I/O and endpoint services.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.5 SI-5 – Security Alerts, Advisories, and DirectivesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:
Receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis. This includes, but is not limited to, the DHS US-CERT, SANS Internet Storm Center (ISC) and USCYBERCOM
Click here to enter text.
Generates internal security alerts, advisories, and directives as deemed necessary
Click here to enter text.
Disseminates security alerts, advisories, and directives to ISSM, ISSOs, and system administrators and security personnel, as appropriate
Click here to enter text.
Implements security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.5.1 SI-7(14) – Software, Firmware, and Information Integrity: Binary or Machine Executable Code – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization (a) Prohibits the use of binary or machine executable code from sources with limited or not warranty and without the provision of source code; and (b) Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the AO.
183
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.6 SI-10 – Information Input Validation (- Standalone Overlay) – NEW BASELINEAfter a relevance determination, this control can be tailored out for standalone IS.Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The IS checks the validity of information all inputs to web/application servers, database servers, and any system or application input that might receive a crafted exploit toward executing some code or buffer overflow.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.7 SI-11 – Error Handling
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The information system:Generates error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages that could be exploited by adversaries
Click here to enter text.
Reveals error messages only to authorized personnel Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.18.8 SI-12 – Information Handling and Retention
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
184
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Common System Specific Hybrid (Common and System Specific)
The organization handles and retains information within the IS and information output from the system in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. ASPD provides guidance for information retention.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
185
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.19 PROGRAM MANAGEMENT (PM) – NEW BASELINEAll organizations are required to establish a Program cybersecurity/information assurance (CS/IA) program. PM-1 – Information Security Program Plan
10.19.1 PM-1 Information Security Program PlanRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:The SSP can function as the Security Plan for ISSMs.The organization: a. Develops and disseminates an organization-wide information security program plan that: 1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and 4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
Click here to enter text.
Reviews the organization-wide information security program plan [Annually];
Click here to enter text.
Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
Click here to enter text.
Protects the information security program plan from unauthorized disclosure and modification.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.2 PM-2 – Senior Information Security OfficerRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization appoints a senior information security officer (SISO) with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. For programs, the PM can function as the SISO or assign the duties to the ISSM.
186
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.3 PM-3 – Information Security ResourcesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement
Click here to enter text.
Employs a business case/Exhibit 300/Exhibit 53 to record the resources required
Click here to enter text.
Ensure that information security resources are available for expenditure as planned
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.4 PM-4 – Plan of Action and Milestones ProcessRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
DSS requires Programs to provide their POA&Ms for review on a quarterly basis or as requested via data calls.The initiation if the POA&M is created by and maintained by the ISSM and approved as part of the SSP. The Organization/ISSM us responsible for the life cycle maintenance of the POA&M and the execution of the required mitigation actions.
The organization:Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: (1) Are developed and maintained; (2) Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and (3). Are reported in accordance with reporting requirements.
Click here to enter text.
Reviews POA&Ms for consistency with organizational risk management strategy and organization wide-priorities for risk response actions
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
187
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.19.5 PM-5 – Information System InventoryRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization develops and maintains an inventory of its information systems.
Each ISSM is required to maintain an inventory of information systems under its purview; ensuring information related to the number, size, and mission information system is maintained.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.6 PM-6 – Information Security Measures of PerformanceRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization develops, monitors, and reports on the results of information security measures of performance, e.g. metrics. See NIST SP 800-55, Performance Measurement Guide for Information Security, for metrics examples.
Information security measures monitor the accomplishment of goals and objectives by quantifying the implementation, efficiency, and effectiveness of security controls; analyzing the adequacy of information security program activities; identifying possible improvement actions.
A. Number of employees who received annual security awareness training;B. Percent of information systems with approved ATOs;C. Number of privileged users;D. Number of low and high risk Data Transfer Agents;E. Other measurements as required by the DAO in accordance with the CSAs Assessment and Authorization Manual.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.7 PM-7 – Enterprise ArchitectureRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
188
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Common System Specific Hybrid (Common and System Specific)
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organization operations, organizational assets, individuals, other organizations, and the Nation and ensures security considerations are addressed by the organization early in the system development life cycle and that the requirements and controls assigned are directly and explicitly related to the organization’s mission/business processes.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.8 PM-8 – Critical Infrastructure PlanRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
Identifying and documenting critical infrastructure and key resources provides the organization with the fundamental understanding of what assets need protection, at what level, ensures focus on the mission/business objectives, and supports contingency planning [CP-2].
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.9 PM-9 – Risk Management StrategyRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The risk management strategy at the Program Level incorporates the risk assessment results from the risk assessment reports provided for the security authorization of the information systems (RA-3), as well as other sources internal and external to the organization resulting in a comprehensive risk management strategy.
The organization:Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
Click here to enter text.
Implements the risk management strategy consistently across the organization;
Click here to enter text.
Reviews and updates the risk management strategy at least annually or as required to address organizational
Click here to enter text.
189
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
changes
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.10 PM-10 – Security Authorization ProcessRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization must implement the Risk Management Framework (RMF) and incorporate the processes required for security authorization in accordance with the requirements of the NISPOM and CSAs Assessment and Authorization Manual.
The organization:Manages (i.e., documents, tracks, and reports) the security state of organizational IS and the environments in which those systems operate through the security authorization process
The ISSM manages the process for Facility.
Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process (i.e., ISSM/ISSO)
Click here to enter text.
Fully integrates the security authorization processes into an organization-wide risk management program
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.11 PM-11 – Mission/Business Process DefinitionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization:Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation
Click here to enter text.
Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.12 PM-12 – Insider Threat ProgramRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status:
190
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implemented PlannedOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization implements an insider threat program that includes a cross discipline insider threat incident handling team (i.e., ISSM, PM, etc.) The organization required to comply with the requirements of the NISP Insider Threat Program.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.13 PM-13 – Information Security WorkforceRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization establishes an information security workforce development and improvement program.Appropriate staff is required to establish and maintain an adequate information security workforce certified in accordance with the requirements of DOD 8570.01-M if imposed by contract.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.14 PM-14 – Testing, Training, and MonitoringRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Partially implemented Planned Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Each Organization required to consider OPSEC as it pertains to their information security if contractually imposed.
The organization:Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: (1) Are developed and maintained; and (2) Continue to be executed in a timely manner
Click here to enter text.
Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions
Click here to enter text.
191
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.15 PM-15 – Contact with Security Groups and AssociationsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization must provide oversight for the security testing, training, and monitoring activities conducted within their facility and ensure that those activities are coordinated.
The organization establishes and institutionalizes contact with selected groups and associations within the security community: a. To facilitate ongoing security education and training for organizational personnel; b. To maintain currency with recommended security practices, techniques, and technologies; and c. To share current security-related information including threats, vulnerabilities, and incidents.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.19.16 PM-16 – Threat Awareness ProgramRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
The organization must create and follow procedures that outlines procedures to release information below the accredited level of the system. A record must be maintained and the trusted download agent must be trained. A comprehensive review should be completed by knowledgeable users.
The organization implements a threat awareness program that includes a cross-organization information-sharing capability.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
192