ࡱ> khij `\pComputer Security Division Ba=  =x-L;$8z@"1Arial1Arial1Arial1Arial1:Verdana18Verdana1Verdana1Verdana1.Times New Roman1.Times New Roman1Verdana1Arial1Arial1Arial1@ Arial1Arial17Verdana"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)                + ) , *   x@ @  x@ @  x@ @  x@ @  x@   x@ @   x@ @ x @  x@  x@ @  x@ x@ @ (  x@ @ x@ @  x@ @  x@ @  x @ x!@ @  x!@ @  x!@ @ x @   x@ @   x@ @  x@ @  x!@ @ x@  x!!@ @  x!@ @  x"@ @ x @ x @  x @ x@  x@  x@  x@ )  x  x @  x @  0@  x!@  x! @  x" @  x@ @  0!@  0@  x @  0""@ @  0"@ @  0"@ @ x"@ @  x!"@ @  -x @ * -x @ *  -x @ *  -x @ *  -x @ *  -x! @ * -x@ *  -x@ *  -x@ *  -x@ * -x"@ @ * -x"@ @ *  -x"@ @ *  -x"@ @ *  -x"@ @ *  x@ @  x@  x@ @  x!@ @  x"@@  x"@   x""@ @ , 8"@ @ 0"@  x@ @ 0"@ @ 0"@ @ 0"!@ @   0@ @  0!@ @  x@@  x@  x@  x  x@@  x@  x@ @  x@ @  x!@ @  x@ @ )  x@ @  x@ @  x@  0@ @  0!@ @  x @  x @  x@ @  x@  x @  x"@ )  x@@  x@  x @  x @  x! @  x@ @  x@ @  *x@ @ *  x@ ,  x )  x@,  x  @  x  x  0!@ @  0! @  x!@ @  x!@  x! @ )0@ @ )0@ )0@  0@ @  0@  0@  x ,  x @  x  x@ @ ,  x @ )  x@@ ,  x  @ ,  x @ )  x )  x@)  *x@@ *  *x@ *  *x  @ *  *x@ @*  0@  0  0  0  x)  *x *  *x  * `CREAD ME`MFull Assessment Plan!Assmnt Pln-Phys TransportInterview - TransportExamine - Transport Assmt Plan-Remote Access!#PInterview - Remote AccesskExamine - Remote AccesseTest - Remote Access 2  ;  ;  ;  ;  ;  ;  ;  ;`i R mTest the information system by attempting to perform actions that are configured to generate an audit record.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the auditable events control is implemented.Interview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if the information system consistently generates audit records for auditable events on an ongoing basis.oInterview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the auditable events control are documented and the resulting information used to actively improve the control on a continuous basis.-Examine organizational records or documents to determine if the organization regularly reviews/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.Test the audit monitoring, analysis and reporting process to determine if the organization regularly reviews/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions by artificially generating auditable events to cause an audit failure or suspicious activity condition and monitoring how the organization reacts.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the audit monitoring, analysis, and reporting control is implemented.Interview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if the organization consistently conducts audit monitoring, analysis, and reporting on an ongoing basis.Interview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the audit monitoring, analysis, and reporting control are documented and the resulting information used to actively improve the control on a continuous basis.Examine organizational records or documents and the information system configuration to determine if the organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into overall process for investigation and response to suspicious activities.6Test the information system configuration to determine if the organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities by artificially generating auditable events and monitoring the results.Examine organizational records or documents and the information system configuration settings to determine if the system protects passwords from unauthorized disclosure and modification when stored and transmitted, prohibits passwords from being displayed when entered, enforces password minimum and maximum lifetime restrictions, and prohibits password reuse for a specified number of generations.Examine organizational records or documents to determine if the organization establishes administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators.AC-13 AC-17 AU-1 AU-2 AU-6 SC-1 SC-4 SC-13 XSTEP 1: Confirm identification of personally identifiable information protection needs. 2STEP 2: Verify adequacy of organizational policy. Action Item 3.2Action Item 1.1Action Item 1.2Action Item 3.1Action Items 2.1, 2.2, and 2.3Action Item 2.2MP-1 MP-5 AT-1 AT-2 IA-1 IA-5 AC-1 AC-3 AC-4 AC-6 RA-2 RA-4 PL-4 PL-5 KNIST SP 800-53A Assessment Procedural Statements (Examine, Interview, Test):NIST SP 800-53A Assessment Interview Procedural Statements8NIST SP 800-53A Assessment Examine Procedural Statements5NIST SP 800-53A Assessment Test Procedural StatementsVerify information categorization to ensure identification of personally identifiable information requiring protection when accessed remotely or physically removed. Verify existing risk assessment.%Action Item 2.1: Identify existing organizational policy that addresses the information protection needs associated with personally identifiable information that is accessed remotely or physically removed. Action Item 2.2: Verify that the existing organizational policy adequately addresses the information protection needs associated with personally identifiable information that is accessed remotely or physically removed. Action Item 2.3: Revise/develop organizational policy as needed, including steps 3 and 4.Verify that the existing organizational policy adequately addresses the information protection needs associated with personally identifiable information that is accessed remotely or physically removed.In those instances where personally identifiable information is transported to a remote site, implement NIST Special Publication 800-53 security controls ensuring that information is transported only in encrypted form.In those instances where personally identifiable information is being stored at a remote site, implement NIST Special Publication 800-53 security controls ensuring that information is stored only in encrypted form.~Implement NIST Special Publication 800-53 security controls requiring authenticated, virtual private network (VPN) connection.Implement NIST Special Publication 800-53 security controls enforcing allowed downloading of personally identifiable information.Implement NIST Special Publication 800-53 security controls enforcing encrypted remote storage of personally identifiable information.Implement NIST Special Publication 800-53 security controls enforcing no remote storage of personally identifiable information.Examine organizational records or documents to determine if the organization changes default authenticators upon information system installation.dInterview selected organizational personnel with identification and authentication responsibilities to determine if users take reasonable measures to safeguard authenticators including maintaining possession of their individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately.Examine organizational records or documents to determine if the information system establishes user control of the corresponding private key and maps the authenticated identity to the user account (for PKI-based authentication).Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the authenticator management control is implemented.LTest the information system to determine if the system protects passwords from unauthorized disclosure and modification when stored and transmitted, prohibits passwords from being displayed when entered, enforces password minimum and maximum lifetime restrictions, and prohibits password reuse for a specified number of generations.Interview selected organizational personnel with identification and authentication responsibilities and examine organizational records or documents to determine if the organization consistently m< anages authenticators for the information system on an ongoing basis.Interview selected organizational personnel with identification and authentication responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the authenticator management control are documented and the resulting information used to actively improve the control on a continuous basis.Examine the media protection procedures to determine if the procedures are sufficient to address all areas identified in the media protection policy and all associated media protection controls.Examine the identification and authentication procedures to determine if the procedures are sufficient to address all areas identified in the identification and authentication policy and all associated identification and authentication controls.Examine organizational records or documents to determine if the organization restricts the pickup, receipt, transfer, and delivery of information system media (paper and digital) to authorized personnel.Examine the list of personnel that have been authorized for the pickup, receipt, transfer, and delivery of information system media to determine if access is appropriately restricted.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the media transport control is implemented.Interview selected organizational personnel with media protection responsibilities and examine organizational records or documents to determine if the organization consistently transports in a secure manner information system media on an ongoing basis.fInterview selected organizational personnel with media protection responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the media transport control are documented and the resulting information used to actively improve the control on a continuous basis.Examine organizational records or documents to determine if the organization provides and makes readily available to all information system users a set of rules that describes users responsibilities and expected behavior with regard to information and information system usage.$Examine organizational records or documents to determine if the organization receives a signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information.mExamine the rules of behavior to determine if the content is consistent with NIST Special Publication 800-18.}Interview selected organizational personnel to determine if they understand the rules of behavior for the information system.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the rules of behavior control is implemented.Additional Test Steps/Summary Comment for Test Results and Mitigation Requirements/POAM (include references to other supporting documentation)Interview selected organizational personnel with security planning and plan implementation responsibilities and examine organizational records or documents to determine if the organization consistently reviews and updates the rules of behavior on an ongoing basis.Interview selected organizational personnel with security planning and plan implementation responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the rules of behavior control are documented and the resulting information used to actively improve the control on a continuous basis.Examine the system and communications protection procedures to determine if the procedures are sufficient to address all areas identified in the system and communications protection policy and all associated system and communications protection controls.Examine organizational records or documents (including developer design documentation) to determine if the employed cryptography complies with applicable federal laws, directives, policies, regulations, standards, and guidance, including FIPS 140-2 which requires the system to perform all cryptographic operations (including key generation) using FIPS 140-2 validated cryptographic modules operating in approved modes of operation.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the use of validated cryptography control is implemented.Interview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents to determine if the organization consistently uses validated cryptography within the information system on an ongoing basis.Interview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the use of validated cryptography control are documented and the resulting information used to actively improve the control on a continuous basis.hInterview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents (including developer design documentation) to determine if the information system prevents unauthorized and unintended information transfer via shared system resources and how the system prevents the transfer.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the information remnants control is implemented.Interview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents (including developer design documentation) to determine if the information system employs appropriate mechanisms to consistently prevent unauthorized and unintended transfer of information via shared system resources on an ongoing basis.Interview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the information remnants control are documented and the resulting information used to actively improve the control on a continuous basis.13. Develop System/Activity-Specific Assessment Plans. After extracting the common control procedures from the baseline Assessment Plan, develop assessment plans for physical transportation of information and/or for remote access to each system allowing access to PII from the remaining procedures. These plans may vary in that they are specific to each system and to the organization allowing remote access to or physical transportation of data. They can also be tailored to eliminate duplication of assessment procedures conducted for the Common Controls.5BAssessment Completed by: Date Completed:Interview selected organizational personnel with security awareness and training responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the security awareness and training policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.vExamine organizational records or documents to determine if the audit and accountability policy and procedures: (i) exist; (ii) are documented; (iii) are disseminated to appropriate elements within the organization; (iv) are periodically reviewed by responsible parties wit< hin the organization; and (v) are updated, when organizational review indicates updates are required.Examine the audit and accountability policy to determine if the policy adequately addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the audit and accountability policy and procedures control is implemented.Examine the audit and accountability policy to determine if the policy is consistent with the organization s mission, functions, and associated laws, directives, policies regulations, standards, and guidance.Interview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if the organization consistently applies the audit and accountability policy and procedures on an ongoing basis.{Examine organizational records or documents to determine if identification and authentication policy and procedures: (i) exist; (ii) are documented; (iii) are disseminated to appropriate elements within the organization; (iv) are periodically reviewed by responsible parties within the organization; and (v) are updated, when organizational review indicates updates are required.Examine the identification and authentication policy to determine if the policy adequately addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the identification and authentication policy and procedures control is implemented.Examine the identification and authentication policy to determine if the policy is consistent with the organization s mission, functions, and associated laws, directives, policies regulations, standards, and guidance.Interview selected organizational personnel with identification and authentication responsibilities and examine organizational records or documents to determine if the organization consistently applies the identification and authentication policy and procedures on an ongoing basis.Interview selected organizational personnel with identification and authentication responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the identification and authentication policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.nExamine organizational records or documents to determine if the media protection policy and procedures: (i) exist; (ii) are documented; (iii) are disseminated to appropriate elements within the organization; (iv) are periodically reviewed by responsible parties within the organization; and (v) are updated, when organizational review indicates updates are required.Examine the media protection policy to determine if the policy adequately addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the media protection policy and procedures control is implemented.Examine the media protection policy to determine if the policy is consistent with the organization s mission, functions, and associated laws, directives, policies regulations, standards, and guidance.Interview selected organizational personnel with media protection responsibilities and examine organizational records or documents to determine if the organization consistently applies the media protection policy and procedures on an ongoing basis.}Interview selected organizational personnel with media protection responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the media protection policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.~Examine organizational records or documents to determine if system and communications protection policy and procedures: (i) exist; (ii) are documented; (iii) are disseminated to appropriate elements within the organization; (iv) are periodically reviewed by responsible parties within the organization; and (v) are updated, when organizational review indicates updates are required.Examine the system and communications protection policy to determine if the policy adequately addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the system and communications protection policy and procedures control is implemented.Examine the system and communications protection policy to determine if the policy is consistent with the organization s mission, functions, and associated laws, directives, policies regulations, standards, and guidance. Interview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents to determine if the organization consistently applies the system and communications protection policy and procedures on an ongoing basis.Interview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the system and communications protection policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.1. For Personally Identifiable Information physically removed: a. Does the policy explicitly identify the rules for determining whether physical removal is allowed? b. For personally identifiable information that can be removed, does the policy require the information be encrypted and that appropriate procedures, training, and accountability measures are in place to ensure that remote use of this encrypted information does not result in bypassing the protections provided by the encryption?2. For Personally Identifiable Information accessed remotely: a. Does the policy explicitly identify the rules for determining whether remote access is allowed? b. When remote access is allowed, does the policy require that this access be accomplished via a virtual private network (VPN) connection established using agency-issued authentication certificate(s) or hardware token? c. When remote access is allowed, does the policy identify the rules for determining whether download and remote storage of the information is allowed? (For example, the policy could permit remote access to a database, but< prohibit downloading and local storage of that database.)XSTEP 4: Implement protections for remote access to personally identifiable information. Action Item 4.1Action Item 4.2Action Item 4.4NIST SP 800-53 ControlQThe organization conducts a privacy impact assessment on the information system. %NIST SP 800-53A Assessment IdentifierPL-5.1PL-5.2PL-5.3PL-5.4XVThe organization categorizes the information system and the information processed, stored, or transmitted by the system in accordance with FIPS 199 and documents the results (including supporting rationale) in the system security plan. Designated senior-level officials within the organization review and approve the security categorizations.RA-2.1RA-2.2RA-2.3RA-2.4RA-2.5The organization updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system.RA-4.1RA-4.2RA-4.3RA-4.4RA-4.5AC-1.1AC-1.2AC-1.3AC-1.4AC-1.5AC-1.6AC-1.7AT-1.1AT-1.2AT-1.3AT-1.4AT-1.5AT-1.6AT-1.7AU-1.1AU-1.2AU-1.3AU-1.4AU-1.5AU-1.6AU-1.7IA-1.1IA-1.2IA-1.3IA-1.4IA-1.5IA-1.6IA-1.7MP-1.1MP-1.2MP-1.3MP-1.4MP-1.5MP-1.6MP-1.7SC-1.1SC-1.2SC-1.3SC-1.4SC-1.5SC-1.6SC-1.7The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, identification and authentication policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.UThe organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, media protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls.!NIST SP 800-53 Control Identifier$Procedure from OMB M-06-16 Checklist!Moderate-impact system applicableHigh-impact system applicablemThe organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, audit and accountability policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.GThe organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and communications protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controlsThe organization controls information system media (paper and digital) and restricts the pickup, receipt, transfer, and delivery of such media to authorized personnel.MP-5.1MP-5.2MP-5.3MP-5.4MP-5.5SC-13.1SC-13.2SC-13.3SC-13.4When cryptography is employed within the information system, the system performs all cryptographic operations (including key generation) using FIPS 140-2 validated cryptographic modules operating in approved modes of operation.mThe information system prevents unauthorized and unintended information transfer via shared system resources.The organization establishes and makes readily available to all information system users a set of rules that describes their responsibilities and expected behavior with regard to information system usage. The organization receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system.PL-4.1PL-4.2PL-4.3PL-4.4PL-4.5PL-4.6PL-4.7SC-4.1SC-4.2SC-4.3SC-4.4See above under Action Item 3.1The organization documents, monitors, and controls all methods of remote access (e.g., dial-up, Internet) to the information system including remote access for privileged functions. Appropriate organization officials authorize each remote access method for the information system and authorize only the necessary users for each access method. Control enhancement: (1) The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods. (2) The organization uses encryption to protect the confidentiality of remote access sessions. (3) The organization controls all remote accesses through a managed access control point. The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.}The information system generates audit records for the following events: [Assignment: organization-defined auditable events].DUsing the OMB M-06-16 Checklist Privacy Controls Assessment TemplateWorksheet Tabs included: --Assessment Plan-Physical Transport: Includes sections of the Full Assessment Plan associated with the offsite physical transport of PII (Checklist Steps 1, 2, and 3 only).)l ---Interview-Transport: Interview procedures extract from the Physical Transport Assessment Plan.  l ---Examine-Transport: Examination procedures extract from the Physical Transport Assessment Plan.  --Assessment Plan-Remote Access: Includes sections of the Full Assessment Plan associated with remote access to PII (Checklist Steps 1, 2, and 4 only).$k ---Interview-Remote Access: Interview procedures extract from the Remote Access Assessment Plan. $k ---Examine-Remote Access: Examination procedures extract from the Remote Access Assessment Plan. "mNOTE: Add controls and assessment procedures associated with specific technology associated with the system.eThe information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy. Control enhancement: (1) The information system ensures that access to security functions (deployed in hardware, software, and firmware) and information is restricted to authorized personnel (e.g., security administrators). The organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. Control enhancement: (1) The organization employs automated mechanisms to facilitate the review of user activities.The organization regularly reviews/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. Control enhancement: (1) The organization employs automated mechanisms to integrate audit monitoring, analysis, < and reporting into an overall process for investigation and response to suspicious activities. (2) The organization employs automated mechanisms to immediately alert security personnel of inappropriate or unusual activities with security implications.See above under Action Item 3.2See above under Action Item 4.2See above under Action Item 4.1AC-17.1AC-17.2AC-17.3AC-17.4AC-17.5AC-17.6AC-17.7AC-17.8AC-17.9AC-17.10AC-17.11AC-17.13AC-17.14AC-17.15AC-17.16AC-17.12The organization manages information system authenticators (e.g., tokens, PKI certificates, biometrics, passwords, key cards) by: (i) defining initial authenticator content; (ii) establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; and (iii) changing default authenticators upon information system installation.IA-5.1IA-5.2IA-5.3IA-5.4IA-5.5IA-5.6IA-5.7IA-5.8IA-5.9AC-3.1AC-3.2AC-3.3AC-3.4AC-3.5AC-3.6AC-3.7AC-3.8AC-3.9AC-4.1AC-4.2AC-4.3AC-4.4AC-4.5AC-6.1AC-6.2AC-6.3AC-6.4AC-6.5AC-6.6AC-13.1AC-13.2AC-13.3AC-13.4AC-13.5AC-13.6AC-13.7AC-13.8AC-13.9AU-2.1AU-2.2AU-2.3AU-2.4AU-2.5AU-6.1AU-6.2AU-6.6AU-6.4AU-6.5AU-6.7AU-6.3STEP 3: Implement protections for personally identifiable information being transported and/or stored offsite. If personally identifiable information is to be transported and/or stored offiste, follow Step 3; for remote access to personally identifiable information, follow Step 4. n Action Item 4.3 -- If remote storage of personally identifiable information is to be permitted follow Action Item 4.3, otherwise follow Action Item 4.4.  The organization ensures all users (including managers and senior executives) are exposed to basic information system security awareness materials before authorizing access to the system and [Assignment: organization-defined frequency, at least annually] thereafter.AT-2.1AT-2.2AT-2.3AT-2.4AT-2.5hExamine organizational records or documents to determine if access control policy and procedures: (i) exist; (ii) are documented; (iii) are disseminated to appropriate elements within the organization; (iv) are periodically reviewed by responsible parties within the organization; and (v) are updated, when organizational review indicates updates are required.Examine the access control procedures to determine if the procedures are sufficient to address all areas identified in the access control policy and all associated access controls.Examine the access control policy to determine if the policy adequately addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the access control policy and procedures control is implemented.Examine the access control policy to determine if the policy is consistent with the organization s mission, functions, and associated laws, directives, policies regulations, standards, and guidance.Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the organization consistently applies the access control policy and procedures on an ongoing basis.yInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the access control policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.pExamine organizational records or documents to determine if user access to the information system is authorized.Examine access control mechanisms to determine if the information system is configured to implement the organizational access control policy.Examine the user access rights on the information system to determine if user privileges on the system are consistent with the documented user authorizations.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the access enforcement control is implemented.Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the information system consistently enforces assigned authorizations for controlling access to the system on an ongoing basis.gInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the access enforcement control are documented and the resulting information used to actively improve the control on a continuous basis.Examine organizational records or documents to determine if the organization explicitly defines security functions for the information system.Examine organizational records or documents to determine if the organization properly authorizes personnel granted access to security functions and information in accordance with organizational policy.Test selected accounts that have access to information system security functions to determine if the user privileges for those accounts function as documented in accordance with authorization requirements.>Examine information system interconnection agreements to determine if the agreements address: (i) the types of permissible and impermissible flow of information between systems; and (ii) the required level of authorization to allow information flow as defined in the information flow enforcement policy and procedures.Examine information system configuration settings to determine if controls are in place to restrict the flow of information within the system and between interconnected systems in accordance with the applicable policy, procedures, and assigned authorizations.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the information flow enforcement control is implemented.GInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the information system consistently enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems on an ongoing basis.qInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the information flow enforcement control are documented and the resulting information used to actively improve the control on a continuous basis.Examine organizational records or documents to determine if the organization assigns the most restrictive set of rights/privileges or accesses needed by users for the performance of specified tasks.~Examine organizational records or documents to determine what access rights/privileges the organization assigns to user tasks.Examine selected user accounts on the information system to determine if the access rights/privileges correspond to the authorized permissions on access documentation for specified tasks.Examine organizatio< nal records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the least privilege control is implemented.Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the information system consistently enforces the most restrictive set of rights/privileges or accesses needed by users on an ongoing basis.dInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the least privilege control are documented and the resulting information used to actively improve the control on a continuous basis.Interview selected organizational personnel with access control responsibilities to determine if the organization supervises and reviews the activities of users of the information system.Examine organizational records or documents to determine if unusual activity is investigated, reported to appropriate officials, and resolved.Examine organizational records of supervisory notices or disciplinary actions to users to determine if the organization is supervising user activities regarding the use and application of information system access controls.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the supervision and review of access control is implemented.@Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the organization consistently supervises and reviews user activities with respect to the enforcement and use of access controls for the information system on an ongoing basis.uInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the supervision and review of access control are documented and the resulting information used to actively improve the control on a continuous basis.3Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the organization employs automated mechanisms within the information system to support and facilitate the review of user and how those mechanisms are implemented.Examine the configuration of the automated mechanism(s) within the information system to determine if the mechanisms support the review of user activities.JExamine the output from the automated mechanism(s) within the information system to determine if each of the automated functions associated with the review of user activities produces accurate and informative information to support and facilitate the review of user activities with respect to access control enforcement and usage.EExamine organizational records or documents to determine if: (i) security awareness instruction is provided to all users; (ii) records include the type of instruction received and the date completed; and (iii) initial and refresher instruction is provided in accordance with organization-defined frequency, at least annually.Examine security awareness instructional materials to determine if the materials address the specific requirements of the organization and the information systems to which personnel have authorized access.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the security awareness control is implemented.Interview selected organizational personnel with security awareness and training responsibilities and examine organizational records or documents to determine if the organization consistently conducts security awareness instruction on an ongoing basis.xInterview selected organizational personnel with security awareness and training responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the security awareness control are documented and the resulting information used to actively improve the control on a continuous basis.Examine organizational records or documents and the information system configuration settings to determine if the system generates audit records for the organization-defined auditable events.hInterview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents (including developer design documentation) to determine if the information system prevents unauthorized and unintended information transfer via shared system resources and how the system prevents the transfer.krInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the organization consistently applies the access control policy and procedures on an ongoing basis.U\yInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the access control policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.U\Interview selected organizational personnel with security awareness and training responsibilities and examine organizational records or documents to determine if the organization consistently applies the access control policy and procedures on an ongoing basis.fmInterview selected organizational personnel with security awareness and training responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the security awareness and training policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.fmInterview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if the organization consistently applies the audit and accountability policy and procedures on an ongoing basis.^_fInterview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the audit and accountability policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.^_fInterview selected organizational personnel with identification and authentication responsibilities and examine organizational records or documents to determine if the organization consistently applies the identification and authentication policy and procedures on an ongoing basis.ghoInterview selected organizational personnel with identification and authentication responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the identification and authentication policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.ghoInterview selected organizational personnel with media protection responsibilities and examine organizational records or documents to determine if the organization consistently applies the media protection policy and procedures on an ongoing basis.VW^}Interview selected organizational personnel with media protection responsibilities and examine organizational < records or documents to determine if anomalies or problems encountered by the organization in the implementation of the media protection policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.VW^Interview selected organizational personnel with media protection responsibilities and examine organizational records or documents to determine if the organization consistently transports in a secure manner information system media on an ongoing basis.W^fInterview selected organizational personnel with media protection responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the media transport control are documented and the resulting information used to actively improve the control on a continuous basis.VW^Interview selected organizational personnel with security planning and plan implementation responsibilities and examine organizational records or documents to determine if the organization consistently reviews and updates the rules of behavior on an ongoing basis.opwInterview selected organizational personnel with security planning and plan implementation responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the rules of behavior control are documented and the resulting information used to actively improve the control on a continuous basis.opwInterview selected organizational personnel with security planning and plan implementation responsibilities and examine organizational records or documents to determine if the organization consistently conducts privacy impact assessments on the information system on an ongoing basis.opwInterview selected organizational personnel with security planning and plan implementation responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the privacy impact assessment control are documented and the resulting information used to actively improve the control on a continuous basis.opwInterview selected organizational personnel with risk assessment responsibilities and examine organizational records or documents to determine if the organization consistently conducts security categorizations of the information system on an ongoing basis.UV]mInterview selected organizational personnel with risk assessment responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the security categorization control are documented and the resulting information used to actively improve the control on a continuous basis.UV]Interview selected organizational personnel with risk assessment responsibilities and examine organizational records or documents to determine if the organization consistently reviews and updates the risk assessment for the information system on an ongoing basis.UV]lInterview selected organizational personnel with risk assessment responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the risk assessment update control are documented and the resulting information used to actively improve the control on a continuous basis.UV] Interview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents to determine if the organization consistently applies the system and communications protection policy and procedures on an ongoing basis.krInterview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the system and communications protection policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.jkrInterview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents to determine if the organization consistently uses validated cryptography within the information system on an ongoing basis.jkrInterview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the use of validated cryptography control are documented and the resulting information used to actively improve the control on a continuous basis.jkrInterview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents (including developer design documentation) to determine if the information system employs appropriate mechanisms to consistently prevent unauthorized and unintended transfer of information via shared system resources on an ongoing basis.jkrInterview selected organizational personnel with system and communications protection responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the information remnants control are documented and the resulting information used to actively improve the control on a continuous basis.jkrInterview selected organizational personnel with access control responsibilities and examine the configuration of the information system to determine if the organization uses encryption to protect the confidentiality of remote access sessions.U\Interview selected organizational personnel with access control responsibilities and examine the configuration of the information system to determine if the organization controls remote access through a managed access control point.TU\@Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the organization consistently supervises and reviews user activities with respect to the enforcement and use of access controls for the information system on an ongoing basis.TU\uInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the supervision and review of access control are documented and the resulting information used to actively improve the control on a continuous basis.TU\3Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the organization employs automated mechanisms within the information system to support and facilitate the review of user and how those mechanisms are implemented.TU\Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the organization consistently employs remote access controls for the information system on an ongoing basis.U\bInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the remote access control are documented and the resulting information used to actively improve the control on a continuous basis.TU\Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine i< f the information system consistently enforces assigned authorizations for controlling access to the system on an ongoing basis.U\gInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the access enforcement control are documented and the resulting information used to actively improve the control on a continuous basis.U\GInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the information system consistently enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems on an ongoing basis.TU\qInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the information flow enforcement control are documented and the resulting information used to actively improve the control on a continuous basis.TU\Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the information system consistently enforces the most restrictive set of rights/privileges or accesses needed by users on an ongoing basis.TU\Interview selected organizational personnel with security awareness and training responsibilities and examine organizational records or documents to determine if the organization consistently conducts security awareness instruction on an ongoing basis.efmxInterview selected organizational personnel with security awareness and training responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the security awareness control are documented and the resulting information used to actively improve the control on a continuous basis.efmInterview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if the information system consistently generates audit records for auditable events on an ongoing basis.^_foInterview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the auditable events control are documented and the resulting information used to actively improve the control on a continuous basis.^_fInterview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if the organization consistently conducts audit monitoring, analysis, and reporting on an ongoing basis._fInterview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the audit monitoring, analysis, and reporting control are documented and the resulting information used to actively improve the control on a continuous basis._fInterview selected organizational personnel with identification and authentication responsibilities and examine organizational records or documents to determine if the organization consistently manages authenticators for the information system on an ongoing basis.ghoInterview selected organizational personnel with identification and authentication responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the authenticator management control are documented and the resulting information used to actively improve the control on a continuous basis.gho4. Consolidate Assessment Procedures with Similar Characteristics. From the Assessment Plan, you can now extract the procedures and sort them by assessment method or search for key words to help group procedures. For example, this template has already provided you with tabs for Interview, Examine, and Test procedures. The Interview tab, easily imported into an MSWord document or left in MSExcel, could now be used as a structured interview questionnaire. NOTE that some procedures contain multiple assessment methods to execute the procedure (such as "Interview... and examine..."). When adding procedures be sure to watch for this.B2. Develop Common Controls Assessment Plans. From your full baseline assessment plan, develop an Assessment Plan that addresses the Common Controls within your organization by extracting the rows for the controls that apply organization-wide. These are assessed once for the entire environment to which the common control applies. NOTE that large agencies may have Department-level common control policies and procedures, and each component may have supplemental policies and procedures that apply to their systems and practices; therefore, you may require a Department-level common controls assessment plan as well as component-specific common controls assessment plans. .1. Establish a Baseline Assessment Plan for your Organization. The Full Assessment Plan can be used as the baseline for your Assessment Plans; or you may use either the Physical Transport plan or the Remote Access plan if only that plan applies to your organization's needs -- depending on the path indicated by the Checklist decision points -- and modify the baseline template to fit your agency's needs to ensure consistency throughout your agency when implemented. NOTE that for Step 4 of the checklist, you may need to add control families and associated assessment procedures to address specific technology pertaining to the system.>45. Execute the Assessment Procedures and Document Results. The Template provides space for recording of summary information from execution of the assessment procedure, such as steps taken to perform the procedure, identify personnel interviewed, identify documents examined by title and date, briefly summarize the result and reference mitigation action necessary, and identify the assessor's name and date the procedure was assessed. NOTE that the full explanation of steps taken and results of the assessment will likely not fit in the capacity for the cell in the MSExcel spreadsheet. In these instances, simply include a reference to a supporting document (such as "See Interview #1, system X, dated 7/20/2006 for details. Corrective action is needed to improve procedures in this area--see system-level POA&M.") : -- Full Assessment Plan: Incorporates all NIST SP 800-53 controls and associated draft NIST SP 800-53a (spd 4/2006) assessment procedures for Moderate and High-impact systems required by the Security Controls and Assessment Procedures section of the Checklist attachment to M-06-16.RExamine organizational records or documents to determine if the risk assessment is updated in accordance with organization-defined frequency or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system.Examine the risk assessment to determine if the report reflects the latest significant changes to the information system, the facilities where the system resides, or other conditions that may have impacted the security or accreditation status of the system.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the risk assessment update control is implemented.Interview selected organizational personnel with risk ass< essment responsibilities and examine organizational records or documents to determine if the organization consistently reviews and updates the risk assessment for the information system on an ongoing basis.lInterview selected organizational personnel with risk assessment responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the risk assessment update control are documented and the resulting information used to actively improve the control on a continuous basis.JExamine the system security plan to determine if the security categorization of the information system: (i) exists; (ii) is consistent with FIPS 199; (iii) includes supporting rationale consistent with NIST Special Publication 800-60; and (iv) is reviewed and approved by designated senior-level officials within the organization.Interview selected organizational personnel with risk assessment responsibilities to determine if the security categorization process is conducted as an organization-wide exercise with the involvement of senior-level officials including, but not limited to, authorizing officials, information system owners, chief information officer, senior agency information security officer, and information owners.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the security categorization control is implemented.Interview selected organizational personnel with risk assessment responsibilities and examine organizational records or documents to determine if the organization consistently conducts security categorizations of the information system on an ongoing basis.mInterview selected organizational personnel with risk assessment responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the security categorization control are documented and the resulting information used to actively improve the control on a continuous basis.Examine organizational records or documents to determine if the organization conducts a privacy impact assessment on the information system.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the privacy impact assessment control is implemented.Interview selected organizational personnel with security planning and plan implementation responsibilities and examine organizational records or documents to determine if the organization consistently conducts privacy impact assessments on the information system on an ongoing basis.Interview selected organizational personnel with security planning and plan implementation responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the privacy impact assessment control are documented and the resulting information used to actively improve the control on a continuous basis.Examine the audit and accountability procedures to determine if the procedures are sufficient to address all areas identified in the audit and accountability policy and all associated audit and accountability controls.Examine the security awareness and training procedures to determine if the procedures are sufficient to address all areas identified in the security awareness and training policy and all associated security awareness and training controls.Examine organizational records or documents to determine if remote access is: (i) monitored on a periodic basis in accordance with organization policy; (ii) restricted through dial-up connections or protects against unauthorized connections or subversion of unauthorized connections; (iii) authorized and restricted to users with an operational need for access; and (iv) restricted to only allow privileged access based on compelling operational needs.Examine organizational records or documents to determine if remote access activity is being recorded in logs and reviewed periodically in accordance with the organizational policy and procedures.Examine organizational records or documents to determine if remote access is documented and authorized by the appropriate organization officials.Examine the configuration of the information system to determine if controls are employed to restrict remote access to the system.Examine a system-generated list of user accounts with remote access and determine if the established procedures are followed to authorize remote access for the accounts.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the remote access control is implemented.Test the remote access controls by attempting to gain remote access to the information system using a valid system account that does not have remote access permissions.Interview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if the organization consistently employs remote access controls for the information system on an ongoing basis.bInterview selected organizational personnel with access control responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the remote access control are documented and the resulting information used to actively improve the control on a continuous basis.Examine organizational records or documents to determine what automated mechanisms and functions are employed to support and facilitate the monitoring and control of remote access methods.Examine organizational records or documents to determine if the automated mechanisms supporting the monitoring and control of remote access are effectively employed in accordance with organizational policy and procedures.Test the automated mechanism(s) within the information system to determine if each of the functions associated with the monitoring and control of remote access produce accurate and informative information, in accordance with remote access monitoring policy and procedures.Interview selected organizational personnel with access control responsibilities and examine the configuration of the information system to determine if the organization uses encryption to protect the confidentiality of remote access sessions.Examine a remote access connection to the information system to determine if the connection requires the use of encryption and encryption is actually employed.Interview selected organizational personnel with access control responsibilities and examine the configuration of the information system to determine if the organization controls remote access through a managed access control point.Test remote access controls by attempting to connect remotely to the information system without connecting through the managed access control point to determine if remote access can be achieved without following organizational policy and procedures.%OMB M-06-16 Security Assessment Plan $For System: xxxxxxxxxxxxxxxxxxxxxxxxBFully Satisfied (FS), Partially Satisfied (PS), Not Satisfied (NS)hExamine organizational records or documents to determine if access control policy and procedures: (i) exist; (ii) are documented; (iii) are disseminated to appropriate elements within the organization; (iv) are periodically reviewed by responsible parties within the organization; and (v) are updated, when organizational review indicates updates are required.See above under Action Item 4.3STEP 4: Implement protections for remote access to personally identifiable information. If personally identifiable information is to be transported and/or stored offiste, follow Step 3; for remote access to personally identifiable information, follow Step 4. X OMB M-06-16FOMB M-06-16 Security Assessment Plan -- Tran<sport Interview ProceduresDOMB M-06-16 Security Assessment Plan -- Transport Examine ProceduresExisting organizational policy adequately addresses the information protection needs associated with personally identifiable information that is accessed remotely or physically removed.n/aInterview selected organizational personnel with audit and accountability responsibilities and examine organizational records or documents to determine if anomalies or problems encountered by the organization in the implementation of the audit and accountability policy and procedures control are documented and the resulting information used to actively improve the control on a continuous basis.yExamine organizational records or documents to determine if security awareness and training policy and procedures: (i) exist; (ii) are documented; (iii) are disseminated to appropriate elements within the organization; (iv) are periodically reviewed by responsible parties within the organization; and (v) are updated, when organizational review indicates updates are required.Examine the security awareness and training policy to determine if the policy adequately addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.Examine organizational records or documents to determine if the organization assigns responsibility to specific parties and defines specific actions to ensure that the security awareness and training policy and procedures control is implemented.Examine the security awareness and training policy to determine if the policy is consistent with the organization s mission, functions, and associated laws, directives, policies regulations, standards, and guidance.Interview selected organizational personnel with security awareness and training responsibilities and examine organizational records or documents to determine if the organization consistently applies the access control policy and procedures on an ongoing basis. ','b(x(_*u19rAd ~HpR]'g=q &yy|>|$}l}}^}v a )NjqQ6v8ȝNaßI }ݱc_ <kOa { " *w11'W6MV:(cc  JL  dMbP?_*+%&?M>Canon iP90 `߁ odLetter`BJDM ,VT$m,`Oj,`OjVT$m,v`Oj,v,v`OjXXDRAFTSample 1'dVT$mVT$m@ VT$m Canon iP90 `߁ odLetter!2(v"d??U} ۴a} $ aJ  @+@@@:@@@  r@ D@ @ @ o @ b c d d d d d d d f g gX g h >@7  (Tb p!}  dMbP?_*+% N[&R&P&?'?(?)q= ףp?M>Canon iP90 `߁ odLetter`BJDM ,VT$m,`Oj,`OjVT$m,v`Oj,v,v`OjXXDRAFTSample 1'dVT$mVT$m@ VT$m Canon iP90 `߁ odLetter#2y"2??U} I!} I!} m!!} I "} U;} I !}  !} m!} $ !                                              L M Nx Mz M M O+ N PL  QY   [/ }* [y ${ $ $ . %%% \~\  |       \~\  }     \~\ #~# #    \ v' r $ $ $ . %%% \ws        \ws        \ws        {^t ( ( ( 2 )))  [0 v( r $ $$ . %%% \ws        \ws        \ws       {^t (( ( 2 )))   2 y j $ $ $ .r ../ zk ( ( ( 2s 221  1 ]# [ $ $ $ . %%& x\      9  x\      8  x\      :  x\     ;  x\     <  |{ (( ( 2= ))* D l****rXTTnXXTT*dXXTT**rX*rXXXTT ! " # $ % &  ' ( ) * + , -  . / 0 1 2 3 4  5 6 7 8 9 : ;  < = > ?  } [ $ $ $ . %%& !~\ ! !  !  ! ! "~\ " "  "  " " #~\ # #  #  # # $~\ $ $ $  $ $ %~\ % % %  % % &{ &(&( &( &2Z &))* ' '] '[ '$ '$ '$ '.[ '%%% (x\ ( (  (  (\ ( )x\ ) )  )  ) ) *x\ * *  *  *] * +x\ + + +  +^ + ,x\ , , ,  ,_ , -|{ -(-( -( - -))* . .]! .[ .+ .$ .$ ..` .%,- /x\ / /  /  /a / 0x\ 0 0  0  0A 0 1x\ 1 1  1  1b 1 2x\ 2 2 2  2c 2 3x\ 3 3 3  3d 3 4|{ 4(4( 4( 42e 4))* 5 5} 5[ 5$ 5$ 5$ 5.f 5%%& 6~\ 6 6  6  6g 6 7~\ 7 7  7  7@ 7 8~\ 8 8  8  8h 8 9~\ 9 9 9  9i 9 :~\ : : :  :j : ;{ ;(;( ;( ;2k ;))* < <} <[ <$ <$ <$ <.l <%&& =~\ = =  =  =m = >~\ > >  >  >O > ?~\ ? ?  ?  ?n ? D lnXXXTTTnXXXTTTnXXXTTTnXXXTTTnXX@ A B  C D  E F G H I  J K L M  N  O P Q R S T U  V W X Y  Z  [ \  ] ^ _  @~\ @ @ @  @o @ A~\ A A A  Ap A B{ B(B( B( B2q B))* C/C DD E3 E] E[ E$ E$ E$ E.B E%%% Fx\ F F  F  FC F Gx\ G G  G  GD G Hx\ H H H  HE H Ix\ I#I# I# IF I J Jv Jr J$ J$ J$ J.P J%%% Kws K K  K  KQ K Lws L L L  LR L M^t M(M( M( M2S M))) NN O4 O]) O[ O$ O$ O$ O.G O%%% Px\ P P  P  PH P Qx\ Q Q  Q  QI Q Rx\ R R  R  RJ R Sx\ S S  S  SK S Tx\ T T T  TM T Ux\ U#U# U# UN U V Vv Vr V$ V$ V$ V.T V%%% Wws W W  W  WU W Xws X X X  XV X Y^t Y(Y( Y( Y2W Y))) Z Z3 Z_Z``````` [t[ \u\ ]5 ]} ][ ]$ ]$ ]$ ]. ]%%% ^~\ ^ ^ ^ ^ ^ _~\ _ _ _ _ _ D lTTT**rXXTTnXTT*rXXXXTTnXTT>**rX` a b c d e f g h i j k l  m n o p q r s t u  v  w x y z { | } ~   `~\ ` ` ` ` ` a~\ a a a a a b~\ b b b b b c~\ c c c c c d~\ d d d d d e~\ e e e e e f~\ f f f f f g~\ g g g g g h~\ h h h h h i~\ i i i i i j~\ j j j j j k~\ k k k k k l~\ l#l4 l4 l l m mv" mr m$ m$ m$ m. m%,, nws n n  n  n n ows o o  o  o9 o pws p  p  p  p: p qws q  q  q  q; q rws r  r  r  r< r sws s s s  s= s tws t t t  t> t u^t u(u( u( u2? u))) vvv w6 wv$ wr w$ w$ w$ w.> w%%% xws x  x  x  x? x yws y  y  y  y@ y zws z  z  z  zA z {ws { { {  {B { |ws | | |  |C | }ws } } }  }D } ~ws ~ ~ ~  ~E ~ ^t (( ( 2F ))) DN lXXXXTTXXTXTXTnXXXXXTTT*rXXXTTTT                                     }% [ $ $ $ .G %%% ~\ 0 0 0 H  ~\ 0 0 0 I  ~\ 00 0 J  { 55 5 'K 666  }& [ $ $ $ .L %%/ ~\ 0 0 0 M @ ~\ 0 0 0 N @ ~\ 0 0 0 O @ ~\ 00 0 P @ { 55 5 'Q 66A  } [ $ $ $ .R %%% ~\       S  ~\       T  ~\       U  ~\     V  ~\     W  ~\     X  ~\  !   Y  { ("( ( 2Z )))  } [ $# $ $ .` %%& ~\ 0$ 0 0  9 ~\ 0% 0 0  9 ~\ 0&0 0  9 ~\ 7'7 7  88:  v r $( $ $ . %%% ws  )       ws  .       ws  +     ws  ,     ws  *      #-# #   D lnXXTTnXXXTTnXXXTTTTTnXXTTnXXTTT  @ @ @                  @ u0uuuuuuuuu 7 ) ssssssss   ssssssss   ssssssss uwuuuuuuuuu 8 <$ nooooooo  =% pqqqqqqq  =& pqqqqqqq  = pqqqqqqq  > lmmmmmmm   r1 $2 $ $ .[ %%% s  3     \  s  4     ]  s  5   ^  t (6( ( 2_ )))  < nooooooo  = pqqqqqqq  =) pqqqqqqq  = pqqqqqqq iiiiiiiiii ,|*B>>*B>>>>nXXTT>>>>>@  VOZ[[ \\ ]u  CC DD EMNN   B  & &.4            VYOUVYwwvv w]l]lmu<B<B5;5;.4'-'- ZZ JMJMEIEIOU    mu   7  Z;'  dMbP?_*+%&&R&P(333333?)q= ףp?MHP LaserJet 44C odLetterDINU"4:ܜ"2??U} !} I!} m!!} I "} $B;} I !}  !} m!} $ !Z    2                                        T R Tx Rz R R S+ T UL  QY   [/ }* [y ${ $ $ . %%% \~\  |       \~\  }     \~\ #~# #    \ v' r $ $ $ . %%% \ws        \ws        \ws        {^t ( ( ( 2 )))  [0 v( r $ $$ . %%% \ws        \ws        \ws       \ ## #    uuuuuuuuuu D2 E ? 0 0 0 r @  1 ]# [ $ $ $ . %%& x\      9  x\      8  x\      :  x\     ;  x\     <  |{ (( ( 2= ))*  } [ $ $ $ . %%& D l****rXTTnXXTT*dXXTT**r*rXXXTTT ! " # $ %  & ' ( ) * + ,  - . / 0 1 2 3  4 5 6 7 8 9 :  ; < = > ?  ~\        !~\ ! !  !  ! ! "~\ " "  "  " " #~\ # # #  # # $~\ $ $ $  $ $ %{ %(%( %( %2Z %))* & &] &[ &$ &$ &$ &.[ &%%% 'x\ ' '  '  '\ ' (x\ ( (  (  ( ( )x\ ) )  )  )] ) *x\ * * *  *^ * +x\ + + +  +_ + ,|{ ,(,( ,( , ,))* - -]! -[ -+ -$ -$ -.` -%,- .x\ . .  .  .a . /x\ / /  /  /A / 0x\ 0 0  0  0b 0 1x\ 1 1 1  1c 1 2x\ 2 2 2  2d 2 3|{ 3(3( 3( 32e 3))* 4 4} 4[ 4$ 4$ 4$ 4.f 4%%& 5~\ 5 5  5  5g 5 6~\ 6 6  6  6@ 6 7~\ 7 7  7  7h 7 8~\ 8 8 8  8i 8 9~\ 9 9 9  9j 9 :{ :(:( :( :2k :))* ; ;} ;[ ;$ ;$ ;$ ;.l ;%&& <~\ < <  <  <m < =~\ = =  =  =O = >~\ > >  >  >n > ?~\ ? ? ?  ?o ? D lXXXTTTnXXXTTTnXXXTTTnXXXTTTnXXX@ A B C D E F G H  I J K L  M  N O P Q R S T  U V W X  Y  @~\ @ @ @  @p @ A~\ A#A# A# Aq AC B/B CuCuuuuuuuuu D3 Dx D\ D0 D0 D0 DB D Ex\ E E  E  EC E Fx\ F F  F  FD F Gx\ G G G  GE G Hx\ H#H# H# HF H I Iv Ir I$ I$ I$ I.P I%%% Jws J J  J  JQ J Kws K K K  KR K L^t L(L( L( L2S L))) MM Ns4 N) N[ N$ N$ N$ N.G N%%% Os\ O O  O  OH O Ps\ P P  P  PI P Qs\ Q Q  Q  QJ Q Rs\ R R  R  RK R Ss\ S S S  SM S Ts\ T#T# T# TN T Us U Ur U$ U$ U$ U.T U%%% Vss V V  V  VU V Wss W W W  WV W Xst X(X( X( X2W X))) Ys YB Y_Y``````` 8 TT**rXXTTnXTT*rXXXXTTnXTT>@Z+BB CC MM DL  A%&,-34:    NY %&,-34:;A ;A   DHDHILILYY NTNTUXUX7   C  dMbP?_*+%&R&P(Q?)Q?MHP LaserJet 44C odLetterDINU"4:ܜ"2??U} I "} ۀ;} I !}  !} m!} $ !Column BColumn A?  }          Vz W W X, Y ZL QY 0 0 0 J 9             T      <      =            Z      _            d      e      j      k      E      F      M      N   }      ~                                 p      q      R      S      V      W D l$$bHHHDDDDDDDDDDDDDDDDDDDDDDDDD>@7  NH|  dMbP?_*+%&R&P((\?)Q?M>Canon iP90 `߁ odLetter`BJDM ,VT$m,`Oj,`OjVT$m,v`Oj,v,v`OjXXDRAFTSample 1'dVT$mVT$m@ VT$m Canon iP90 `߁ odLetter!2(v"2??U} "} I "} {;} I !}  !} m!} $ !Column AN   @        Vz W W X- Y ZL QY 0 0 0 7       9       8       :      ;      eb      ec                                    ed      ee       [       \              ]      ^      ef      eg       `       a       A       b      c      eh      ei       f D" l$$bHHHHDDDHHHHDDDHHHHDDDHHHHDDD !"#$%&'()*+,-./0123456789:;<=>?     g  ! !  !  !@ ! " "  "  "h " # # #  #i # $ $ $  $ej $ % % %  %ek % & &  &  &B & ' '  '  'C ' ( (  (  (D ( ) ) )  )el ) * * *  *m * +  +  +  +r + , ,  ,  ,G , - -  -  -H - . .  .  .I . / /  /  /K / 0 0 0  0en 0 1 1 1  1eo 1 2 { 2  2  2 2 3 | 3  3  3 3 4 }4 4  4ep 4 5 ~5 5  5eq 5 6 6  6  6 6 7 7  7  7 7 8 8 8  8er 8 9 9 9  9es 9 : :  : : ; ;  ;  ; ; < <  <  < < = = =  =et = > > >  >eu > ? ?  ?  ?l ?D> lHHHDDDHHHDDHHHHHDDHHDDHHDD:HHDD@ABCDEFGHIJKLM @ @  @  @m @ A A  A  AO A B B  B  Bn B C C C  Co C D D D  Dev D E E E  Eew E F F  F  FP F G G  G  GQ G H H H  Hex H I I I  Iey I J J  J  Jea J K K  K  KU K L L L  Lez L M M M  Me{ M HHHDDDHHDDHHD>@7  ( ZF"/=JM  dMbP?_*+%T&R&P(333333?)q= ףp?MHP LaserJet 44C odLetterDINU"4:ܜ"2??U} !} I!} m!!} I "} D;} I !}  !} m!} $ !    A         @                                   T R Tx Rz R R S+ T UL  QY   [/ }* [y ${ $ $ . %%% \~\  |       \~\  }     \~\ #~# #    \ v' r $ $ $ . %%% \ws        \ws        \ws        {^t ( ( ( 2 )))  [0 v( r $ $$ . %%% \ws        \ws        \ws       {^t (( ( 2 )))   G2 H I J J J Ks F./  1 ]# [ $ $ $ . %%& x\      9  x\      8  x\      :  x\     ;  x\     <  |{ (( ( 2= ))*  } [ $ $ $ . %%& D l****rXTTnXXTT*dXXTT**r*rXXXTTT ! " # $ %  & ' ( ) * + ,  - . / 0 1 2 3  4 5 6 7 8 9 :  ; < = > ?  ~\        !~\ ! !  !  ! ! "~\ " "  "  " " #~\ # # #  # # $~\ $ $ $  $ $ %{ %(%( %( %2Z %))* & &] &[ &$ &$ &$ &.[ &%%% 'x\ ' '  '  '\ ' (x\ ( (  (  ( ( )x\ ) )  )  )] ) *x\ * * *  *^ * +x\ + + +  +_ + ,|{ ,(,( ,( , ,))* - -]! -[ -+ -$ -$ -.` -%,- .x\ . .  .  .a . /x\ / /  /  /A / 0x\ 0 0  0  0b 0 1x\ 1 1 1  1c 1 2x\ 2 2 2  2d 2 3|{ 3(3( 3( 32e 3))* 4 4} 4[ 4$ 4$ 4$ 4.f 4%%& 5~\ 5 5  5  5g 5 6~\ 6 6  6  6@ 6 7~\ 7 7  7  7h 7 8~\ 8 8 8  8i 8 9~\ 9 9 9  9j 9 :{ :(:( :( :2k :))* ; ;} ;[ ;$ ;$ ;$ ;.l ;%&& <~\ < <  <  <m < =~\ = =  =  =O = >~\ > >  >  >n > ?~\ ? ? ?  ?o ? D lXXXTTTnXXXTTTnXXXTTTnXXXTTTnXXX@ A  B @C  D E F G H I J K L M N O P Q R S  T U V W X Y Z [ \  ]  ^ _  @~\ @ @ @  @p @ A{ A(A( A( A2q A))* BB CuC D5 D} D[ D$ D$ D$ D. D%%% E~\ E E E E E F~\ F F F F F G~\ G G G G G H~\ H H H H H I~\ I I I I I J~\ J J J J J K~\ K K K K K L~\ L L L L L M~\ M M M M M N~\ N N N N N O~\ O O O O O P~\ P P P P P Q~\ Q Q Q Q Q R~\ R R R R R S~\ S#S4 S4 S S T Tv" Tr T$ T$ T$ T. T%,, Uws U U  U  U U Vws V V  V  V9 V Wws W  W  W  W: W Xws X  X  X  X; X Yws Y  Y  Y  Y< Y Zws Z Z Z  Z= Z [ws [ [ [  [> [ \^t \(\( \( \2? \))) ]v] ^6 ^v$ ^r ^$ ^$ ^$ ^.> ^%%% _ws _  _  _  _? _ D lTT**rXXXXXXTTXXTXTXTnXXXXXTTT*r` a b c d e f  g h i j k  l m n o p q  r s t u v w x y z  { | } ~   `ws `  `  `  `@ ` aws a  a  a  aA a bws b b b  bB b cws c c c  cC c dws d d d  dD d ews e e e  eE e f^t f(f( f( f2F f))) g g}% g[ g$ g$ g$ g.G g%%% h~\ h0 h0 h0 hH h i~\ i0 i0 i0 iI i j~\ j0j0 j0 jJ j k{ k5k5 k5 k'K k666 l l}& l[ l$ l$ l$ l.L l%%/ m~\ m0 m0 m0 mM m@ n~\ n0 n0 n0 nN n@ o~\ o0 o0 o0 oO o@ p~\ p0p0 p0 pP p@ q{ q5q5 q5 q'Q q66A r r} r[ r$ r$ r$ r.R r%%% s~\ s  s  s  sS s t~\ t  t  t  tT t u~\ u  u  u  uU u v~\ v v v  vV v w~\ w w w  wW w x~\ x x x  xX x y~\ y !y y  yY y z{ z("z( z( z2Z z))) { {} {[ {$# {$ {$ {.` {%%& |~\ |0$ |0 |0 | |9 }~\ }0% }0 }0 } }9 ~~\ ~0&~0 ~0 ~ ~9 ~\ 7'7 7  88: D lXXTTTTTnXXTTnXXXTTnXXXTTTTTnXXT                                    v r $( $ $ . %%% ws  )       ws  .       ws  +     ws  ,     ws  *      #-# #   u0uuuuuuuuu 7 x) \ 0 0 0 G  x\      H  x\      I  x\      J  x\      K  x\     M  x\ ## # N   v r $ $ $ .T %%% ws      U  ws     V  ^t (( ( 2W )))  v r $ $ $ .P %%% ws      Q  ws     R   ## # S  uwuuuuuuuuu 8 $ pqqqqqqq  % pqqqqqqq  & pqqqqqqq   pqqqqqqq   lmmmmmmm  v r1 $2 $ $ .[ %%% ws  3     \  ws  4     ]  D lnXXTTTT*rXXXXTTnXTTnXTT*B>>>>nX           ws  5   ^  ^t (6( ( 2_ )))   nooooooo   pqqqqqqq  ) pqqqqqqq   pqqqqqqq iiiiiiiiii ~TT>>>>*>@BH    ]] DSDS^f^fgkgklqlq  D\     A;A%%&,&,;A-3-34:4:BB CC T\T\rzrz{{  ^        7  5DWb}j  dMbP?_*+%&R&P(ףp= ?){Gz?M>Canon iP90 `߁ odLetter`BJDM ,VT$m,`Oj,`OjVT$m,v`Oj,v,v`OjXXDRAFTSample 1'dVT$mVT$m@ VT$m Canon iP90 `߁ odLetter#2y"2??U} I "} ~;} I !}  !} m!} $ !C%Moderate-impact systemNIST SP 800-53A Assessment Identifier5 2            Vz W W X, Y ZL QY 0 0 0 R                      :       J             T      <      =      V      W      X                  B      C      J      K      P      Q            Z   5   ^   6   _      _         &      '   2   +    D l$$bHHHHHHHDDDDDDDDDDDDDDDDDDDDD !"#  $%&'()*+,-./  01234 ,      ! ! !  !d ! " " "  "e " # # #  #2> # $ $ $  $? $ % % %  %j % & & &  &k & ' ' '  'M ' ( ( (  (N ( ) }) )  ) ) * ~* *  * * + + +  + + , , ,  , , - - -  - - . . .  . . / / /  /2p / 0 0 0  0q 0 1 1 1  1R 1 2 2 2  2S 2 3 3 3  3V 3 4 4 4  4W 4.8DDDDDDDDDDDDDDDDDDDD>@KK7  $1r}  dMbP?_*+%&R&P(q= ףp?)q= ףp?M>Canon iP90 `߁ odLetter`BJDM ,VT$m,`Oj,`OjVT$m,v`Oj,v,v`OjXXDRAFTSample 1'dVT$mVT$m@ VT$m Canon iP90 `߁ odLetter!2(v"2??U} "} I "} ;} I !}  !} m!} $ !Column A 2          Vz W W X- Y ZL QY 0 0 0 7       9       8       :      ;      eb      ec       S       T       U      e~      e      e   !   Y   "   Z                            e|             e}                                         e      e        > D& l$$bHHHHDDDHHHDDDDDHHHHDHHHHHHDD !"#$%&'()*+,-./0123456789:;<=>?      ?  !  !  !  !@ ! "  "  "  "A " # # #  #e # $ $ $  $e $ % % %  %D % & & &  &E & '  '  '  'G ' (  (  (  (H ( )  )  )  )I ) * * *  *e * + + +  +e + ,  ,  ,  ,L , -  -  -  -M - .  .  .  .N . /  /  /  /O / 0 0 0  0e 0 1 1 1  1Q 1 2 2  2  2 2 3 3  3  3 3 4 4  4  4 4 5 5  5  5 5 6 6 6  6 6 7 7 7  7ed 7 8 8 8  8ee 8 9 2 9  9  9[ 9 : 3 :  :  :\ : ; 4 ;  ;  ; ; < 5< <  <e < = 6= =  =e = > >  >  >] > ? ?  ?  ?^ ?DL lHHHDDDDHHHDDHHHHDDHHHHDDDHHHDDH@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @ @  @  @ @ A A  A  A: A B B B  B; B C C C  Cef C D D D  Deg D E # E  E  E` E F % F  F  F F G &G G  Ge G H 'H H  He H I ( I  I  I I J . J  J  J J K +K K  Ke K L ,L L  Le L M *M M  M M N N  N  N` N O O  O  Oa O P P  P  PA P Q Q  Q  Qb Q R R R  Rc R S S S  Seh S T T T  Tei T U U  U  U U V V  V  V V W W  W  W9 W X  X  X  X; X Y  Y  Y  Y< Y Z Z Z  Ze Z [ [ [  [e [ \ \  \  \f \ ] ]  ]  ]g ] ^ ^  ^  ^@ ^ _ _  _  _h _DL lHHDDDHHDDHHDDDHHHHDDDHHHHHDDHHH`abcdefghijklmnopqrstuvwxyz{|}~ ` ` `  `i ` a a a  aej a b b b  bek b c  c  c  cs c d d  d  dG d e e  e  eH e f f  f  fI f g g  g  gK g h h h  hen h i i i  ieo i j { j  j  j j k | k  k  k k l }l l  lep l m ~m m  meq m n n  n  n n o o  o  o o p p p  per p q q q  qes q r r  r r s s  s  s s t t  t  t t u u u  uet u v v v  veu v w w  w  wl w x x  x  xm x y y  y  yO y z z  z  zn z { { {  {o { | | |  |ev | } } }  }ew } ~ ~  ~  ~P ~      Q D: lDDDHHHHHDDHHDDHHDD:HHDDHHHHDDDH    ex     ey      ea      U     ez     e{ dDDHHD>@7     dMbP?_*+%&R&P(q= ףp?)Q?M>Canon iP90 `߁ odLetter`BJDM ,VT$m,`Oj,`OjVT$m,v`Oj,v,v`OjXXDRAFTSample 1'dVT$mVT$m@ VT$m Canon iP90 `߁ odLetter!2(v"2??U} I "} ;} I !}  !} m!} $ !C%Moderate-impact systemNIST SP 800-53A Assessment Identifier  P  9@     Vz W W X. Y ZL QY 0 0 0    $        )                       F  -          = $$bHHHDDDD>@7 Oh+'0HPh AdministratorNancy DeFrancescoMicrosoft Excel@s@k'@*՜.+,0 PXh px  doc READ MEFull Assessment PlanAssmnt Pln-Phys TransportInterview - TransportExamine - TransportAssmt Plan-Remote AccessInterview - Remote AccessExamine - Remote AccessTest - Remote Access)'Assmnt Pln-Phys Transport'!Print_Titles('Assmt Plan-Remote Access'!Print_Titles''Examine - Remote Access'!Print_Titles#'Examine - Transport'!Print_Titles$'Full Assessment Plan'!Print_Titles)'Interview - Remote Access'!Print_Titles%'Interview - Transport'!Print_Titles$'Test - Remote Access'!Print_Titles  Worksheets  Named Ranges  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWYZ[\]^_abcdefgRoot Entry F TWorkbookfSummaryInformation(XDocumentSummaryInformation8`