FAMILY NAME TITLE DECISION EXAMINE TEST INTERVIEW ACCESS CONTROL AC-1 ACCESS CONTROL POLICY AND PROCEDURES "Determine if the organization:" Access control policy and procedures;other relevant documents or records Organizational personnel with access control responsibilities;organizational personnel with information security responsibilities AC-1(a)(1) AC-1(a)(1)[1] "develops and documents an access control policy that addresses:" AC-1(a)(1)[1][a] "purpose;" AC-1(a)(1)[1][b] "scope;" AC-1(a)(1)[1][c] "roles;" AC-1(a)(1)[1][d] "responsibilities;" AC-1(a)(1)[1][e] "management commitment;" AC-1(a)(1)[1][f] "coordination among organizational entities;" AC-1(a)(1)[1][g] "compliance;" AC-1(a)(1)[2] "defines personnel or roles to whom the access control policy are to be disseminated;" AC-1(a)(1)[3] "disseminates the access control policy to organization-defined personnel or roles;" AC-1(a)(2) AC-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;" AC-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" AC-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" AC-1(b)(1) AC-1(b)(1)[1] "defines the frequency to review and update the current access control policy;" AC-1(b)(1)[2] "reviews and updates the current access control policy with the organization-defined frequency;" AC-1(b)(2) AC-1(b)(2)[1] "defines the frequency to review and update the current access control procedures; and" AC-1(b)(2)[2] "reviews and updates the current access control procedures with the organization-defined frequency." ACCESS CONTROL AC-2 ACCOUNT MANAGEMENT "Determine if the organization:" Access control policy;procedures addressing account management;security plan;information system design documentation;information system configuration settings and associated documentation;list of active system accounts along with the name of the individual associated with each account;list of conditions for group and role membership;notifications or records of recently transferred, separated, or terminated employees;list of recently disabled information system accounts along with the name of the individual associated with each account;access authorization records;account management compliance reviews;information system monitoring records;information system audit records;other relevant documents or records Organizational processes account management on the information system;automated mechanisms for implementing account management Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities AC-2(a) AC-2(a)[1] "defines information system account types to be identified and selected to support organizational missions/business functions;" AC-2(a)[2] "identifies and selects organization-defined information system account types to support organizational missions/business functions;" AC-2(b) "assigns account managers for information system accounts;" AC-2(c) "establishes conditions for group and role membership;" AC-2(d) "specifies for each account (as required):" AC-2(d)[1] "authorized users of the information system;" AC-2(d)[2] "group and role membership;" AC-2(d)[3] "access authorizations (i.e., privileges);" AC-2(d)[4] "other attributes;" AC-2(e) AC-2(e)[1] "defines personnel or roles required to approve requests to create information system accounts;" AC-2(e)[2] "requires approvals by organization-defined personnel or roles for requests to create information system accounts;" AC-2(f) AC-2(f)[1] "defines procedures or conditions to:" AC-2(f)[1][a] "create information system accounts;" AC-2(f)[1][b] "enable information system accounts;" AC-2(f)[1][c] "modify information system accounts;" AC-2(f)[1][d] "disable information system accounts;" AC-2(f)[1][e] "remove information system accounts;" AC-2(f)[2] "in accordance with organization-defined procedures or conditions:" AC-2(f)[2][a] "creates information system accounts;" AC-2(f)[2][b] "enables information system accounts;" AC-2(f)[2][c] "modifies information system accounts;" AC-2(f)[2][d] "disables information system accounts;" AC-2(f)[2][e] "removes information system accounts;" AC-2(g) "monitors the use of information system accounts;" AC-2(h) "notifies account managers:" AC-2(h)(1) "when accounts are no longer required;" AC-2(h)(2) "when users are terminated or transferred;" AC-2(h)(3) "when individual information system usage or need to know changes;" AC-2(i) "authorizes access to the information system based on;" AC-2(i)(1) "a valid access authorization;" AC-2(i)(2) "intended system usage;" AC-2(i)(3) "other attributes as required by the organization or associated missions/business functions;" AC-2(j) AC-2(j)[1] "defines the frequency to review accounts for compliance with account management requirements;" AC-2(j)[2] "reviews accounts for compliance with account management requirements with the organization-defined frequency; and" AC-2(k) "establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group." ACCESS CONTROL AC-2(1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT "Determine if the organization employs automated mechanisms to support the management of information system accounts." Access control policy;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing account management functions Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-2(2) REMOVAL OF TEMPORARY/EMERGENCY ACCOUNTS "Determine if:" Access control policy;procedures addressing account management;security plan;information system design documentation;information system configuration settings and associated documentation;information system-generated list of temporary accounts removed and/or disabled;information system-generated list of emergency accounts removed and/or disabled;information system audit records;other relevant documents or records Automated mechanisms implementing account management functions Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-2(2)[1] "the organization defines the time period after which the information system automatically removes or disables temporary and emergency accounts; and" AC-2(2)[2] "the information system automatically removes or disables temporary and emergency accounts after the organization-defined time period for each type of account." ACCESS CONTROL AC-2(3) DISABLE INACTIVE ACCOUNTS "Determine if:" Access control policy;procedures addressing account management;security plan;information system design documentation;information system configuration settings and associated documentation;information system-generated list of temporary accounts removed and/or disabled;information system-generated list of emergency accounts removed and/or disabled;information system audit records;other relevant documents or records Automated mechanisms implementing account management functions Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-2(3)[1] "the organization defines the time period after which the information system automatically disables inactive accounts; and" AC-2(3)[2] "the information system automatically disables inactive accounts after the organization-defined time period." ACCESS CONTROL AC-2(4) AUTOMATED AUDIT ACTIONS "Determine if:" Access control policy;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;notifications/alerts of account creation, modification, enabling, disabling, and removal actions;information system audit records;other relevant documents or records Automated mechanisms implementing account management functions Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities AC-2(4)[1] "the information system automatically audits the following account actions:" AC-2(4)[1][a] "creation;" AC-2(4)[1][b] "modification;" AC-2(4)[1][c] "enabling;" AC-2(4)[1][d] "disabling;" AC-2(4)[1][e] "removal;" AC-2(4)[2] "the organization defines personnel or roles to be notified of the following account actions:" AC-2(4)[2][a] "creation;" AC-2(4)[2][b] "modification;" AC-2(4)[2][c] "enabling;" AC-2(4)[2][d] "disabling;" AC-2(4)[2][e] "removal;" AC-2(4)[3] "the information system notifies organization-defined personnel or roles of the following account actions:" AC-2(4)[3][a] "creation;" AC-2(4)[3][b] "modification;" AC-2(4)[3][c] "enabling;" AC-2(4)[3][d] "disabling; and" AC-2(4)[3][e] "removal." ACCESS CONTROL AC-2(5) INACTIVITY LOGOUT "Determine if the organization:" Access control policy;procedures addressing account management;security plan;information system design documentation;information system configuration settings and associated documentation;security violation reports;information system audit records;other relevant documents or records Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities;users that must comply with inactivity logout policy AC-2(5)[1] "defines either the time period of expected inactivity that requires users to log out or the description of when users are required to log out; and" AC-2(5)[2] "requires that users log out when the organization-defined time period of inactivity is reached or in accordance with organization-defined description of when to log out." ACCESS CONTROL AC-2(6) DYNAMIC PRIVILEGE MANAGEMENT "Determine if:" Access control policy;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;system-generated list of dynamic privilege management capabilities;information system audit records;other relevant documents or records Information system implementing dynamic privilege management capabilities Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-2(6)[1] "the organization defines a list of dynamic privilege management capabilities to be implemented by the information system; and" AC-2(6)[2] "the information system implements the organization-defined list of dynamic privilege management capabilities." ACCESS CONTROL AC-2(7) ROLE-BASED SCHEMES "Determine if the organization:" Access control policy;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;information system-generated list of privileged user accounts and associated role;records of actions taken when privileged role assignments are no longer appropriate;information system audit records;audit tracking and monitoring reports;information system monitoring records;other relevant documents or records Automated mechanisms implementing account management functions;automated mechanisms monitoring privileged role assignments Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities AC-2(7)(a) "establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;" AC-2(7)(b) "monitors privileged role assignments;" AC-2(7)(c) AC-2(7)(c)[1] "defines actions to be taken when privileged role assignments are no longer appropriate; and" AC-2(7)(c)[2] "takes organization-defined actions when privileged role assignments are no longer appropriate." ACCESS CONTROL AC-2(8) DYNAMIC ACCOUNT CREATION "Determine if:" Access control policy;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;system-generated list of information system accounts;information system audit records;other relevant documents or records Automated mechanisms implementing account management functions Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-2(8)[1] "the organization defines information system accounts to be created by the information system dynamically; and" AC-2(8)[2] "the information system creates organization-defined information system accounts dynamically." ACCESS CONTROL AC-2(9) RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS "Determine if the organization:" Access control policy;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;system-generated list of shared/group accounts and associated role;information system audit records;other relevant documents or records Automated mechanisms implementing management of shared/group accounts Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities AC-2(9)[1] "defines conditions for establishing shared/group accounts; and" AC-2(9)[2] "only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts." ACCESS CONTROL AC-2(10) SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION "Determine if the information system terminates shared/group account credentials when members leave the group." Access control policy;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;account access termination records;information system audit records;other relevant documents or records Automated mechanisms implementing account management functions Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-2(11) USAGE CONDITIONS "Determine if:" Access control policy;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;system-generated list of information system accounts and associated assignments of usage circumstances and/or usage conditions;information system audit records;other relevant documents or records Automated mechanisms implementing account management functions Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-2(11)[1] "the organization defines circumstances and/or usage conditions to be enforced for information system accounts;" AC-2(11)[2] "the organization defines information system accounts for which organization-defined circumstances and/or usage conditions are to be enforced; and" AC-2(11)[3] "the information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts." ACCESS CONTROL AC-2(12) ACCOUNT MONITORING / ATYPICAL USAGE "Determine if the organization:" Access control policy;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;information system monitoring records;information system audit records;audit tracking and monitoring reports;other relevant documents or records Automated mechanisms implementing account management functions Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities AC-2(12)(a) AC-2(12)(a)[1] "defines atypical usage to be monitored for information system accounts;" AC-2(12)(a)[2] "monitors information system accounts for organization-defined atypical usage;" AC-2(12)(b) AC-2(12)(b)[1] "defines personnel or roles to whom atypical usage of information system accounts are to be reported; and" AC-2(12)(b)[2] "reports atypical usage of information system accounts to organization-defined personnel or roles." ACCESS CONTROL AC-2(13) DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS "Determine if the organization: " Access control policy;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;system-generated list of disabled accounts;list of user activities posing significant organizational risk;information system audit records;other relevant documents or records Automated mechanisms implementing account management functions Organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities AC-2(13)[1] "defines the time period within which accounts are disabled upon discovery of a significant risk posed by users of such accounts; and" AC-2(13)[2] "disables accounts of users posing a significant risk within the organization-defined time period of discovery of the risk." ACCESS CONTROL AC-3 ACCESS ENFORCEMENT "Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies." Access control policy;procedures addressing access enforcement;information system design documentation;information system configuration settings and associated documentation;list of approved authorizations (user privileges);information system audit records;other relevant documents or records Automated mechanisms implementing access control policy Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-3(1) RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS "[Withdrawn: Incorporated into AC-6]." ACCESS CONTROL AC-3(2) DUAL AUTHORIZATION "Determine if:" Access control policy;procedures addressing access enforcement and dual authorization;security plan;information system design documentation;information system configuration settings and associated documentation;list of privileged commands requiring dual authorization;list of actions requiring dual authorization;list of approved authorizations (user privileges);other relevant documents or records Dual authorization mechanisms implementing access control policy Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-3(2)[1] "the organization defines privileged commands and/or other actions for which dual authorization is to be enforced; and" AC-3(2)[2] "the information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions." ACCESS CONTROL AC-3(3) MANDATORY ACCESS CONTROL "Determine if:" Access control policy;mandatory access control policies;procedures addressing access enforcement;security plan;information system design documentation;information system configuration settings and associated documentation;list of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies;information system audit records;other relevant documents or records Automated mechanisms implementing mandatory access control Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-3(3)[1] "the organization defines mandatory access control policies to be enforced over all subjects and objects;" AC-3(3)[2] "the organization defines subjects over which organization-defined mandatory access control policies are to be enforced;" AC-3(3)[3] "the organization defines objects over which organization-defined mandatory access control policies are to be enforced;" AC-3(3)[4] "the organization defines subjects that may explicitly be granted privileges such that they are not limited by the constraints specified elsewhere within this control;" AC-3(3)[5] "the organization defines privileges that may be granted to organization-defined subjects;" AC-3(3)[6] "the information system enforces organization-defined mandatory access control policies over all subjects and objects where the policy specifies that:" AC-3(3)[6](a) "the policy is uniformly enforced across all subjects and objects within the boundary of the information system;" AC-3(3)[6](b) "a subject that has been granted access to information is constrained from doing any of the following:" AC-3(3)[6](b)(1) "passing the information to unauthorized subjects or objects;" AC-3(3)[6](b)(2) "granting its privileges to other subjects;" AC-3(3)[6](b)(3) "changing one or more security attributes on:" AC-3(3)[6](b)(3)[a] "subjects;" AC-3(3)[6](b)(3)[b] "objects;" AC-3(3)[6](b)(3)[c] "the information system; or" AC-3(3)[6](b)(3)[d] "system components;" AC-3(3)[6](b)(4) "choosing the security attributes and attribute values to be associated with newly created or modified objects; or" AC-3(3)[6](b)(5) "changing the rules governing access control; and" AC-3(3)[6](c) "organization-defined subjects may explicitly be granted organization-defined privileges such that they are not limited by some or all of the above constraints." ACCESS CONTROL AC-3(4) DISCRETIONARY ACCESS CONTROL "Determine if:" Access control policy;discretionary access control policies;procedures addressing access enforcement;security plan;information system design documentation;information system configuration settings and associated documentation;list of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies;information system audit records;other relevant documents or records Automated mechanisms implementing discretionary access control policy Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-3(4)[1] "the organization defines discretionary access control policies to be enforced over defined subjects and objects;" AC-3(4)[2] "the information system enforces organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject has been granted access to information and can do one or more of the following:" AC-3(4)[2](a) "pass the information to any other subjects or objects;" AC-3(4)[2](b) "grant its privileges to other subjects;" AC-3(4)[2](c) "change security attributes on:" AC-3(4)[2](c)[a] "subjects," AC-3(4)[2](c)[b] "objects," AC-3(4)[2](c)[c] "the information system, or" AC-3(4)[2](c)[d] "the information system’s components;" AC-3(4)[2](d) "choose the security attributes to be associated with newly created or revised objects; or" AC-3(4)[2](e) "change the rules governing access control." ACCESS CONTROL AC-3(5) SECURITY-RELEVANT INFORMATION "Determine if:" Access control policy;procedures addressing access enforcement;security plan;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms preventing access to security-relevant information within the information system Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-3(5)[1] "the organization defines security-relevant information to which the information system prevents access except during secure, non-operable system states; and" AC-3(5)[2] "the information system prevents access to organization-defined security-relevant information except during secure, non-operable system states." ACCESS CONTROL AC-3(6) PROTECTION OF USER AND SYSTEM INFORMATION "[Withdrawn: Incorporated into MP-4 and SC-28]." ACCESS CONTROL AC-3(7) ROLE-BASED ACCESS CONTROL "Determine if: " Access control policy;role-based access control policies;procedures addressing access enforcement;security plan, information system design documentation;information system configuration settings and associated documentation;list of roles, users, and associated privileges required to control information system access;information system audit records;other relevant documents or records Automated mechanisms implementing role-based access control policy Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-3(7)[1] "the organization defines roles to control information system access;" AC-3(7)[2] "the organization defines users authorized to assume the organization-defined roles;" AC-3(7)[3] "the information system controls access based on organization-defined roles and users authorized to assume such roles;" AC-3(7)[4] "the information system enforces a role-based access control policy over defined:" AC-3(7)[4][a] "subjects, and" AC-3(7)[4][b] "objects." ACCESS CONTROL AC-3(8) REVOCATION OF ACCESS AUTHORIZATIONS "Determine if: " Access control policy;procedures addressing access enforcement;information system design documentation;information system configuration settings and associated documentation;rules governing revocation of access authorizations, information system audit records;other relevant documents or records Automated mechanisms implementing access enforcement functions Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-3(8)[1] "the organization defines rules governing the timing of revocations of access authorizations; and" AC-3(8)[2] "the information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on organization-defined rules governing the timing of revocations of access authorizations." ACCESS CONTROL AC-3(9) CONTROLLED RELEASE "Determine if: " Access control policy;procedures addressing access enforcement;information system design documentation;information system configuration settings and associated documentation;list of security safeguards provided by receiving information system or system components;list of security safeguards validating appropriateness of information designated for release;information system audit records;other relevant documents or records Automated mechanisms implementing access enforcement functions Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-3(9)[1] "the organization defines the information system or system component authorized to receive information released outside of the established system boundary of the information system releasing such information;" AC-3(9)[2] "the organization defines security safeguards to be provided by organization-defined information system or system component receiving information released from an information system outside of the established system boundary;" AC-3(9)[3] "the organization defines security safeguards to be used to validate the appropriateness of the information designated for release;" AC-3(9)[4] "the information system does not release information outside of the established system boundary unless:" AC-3(9)[4](a) "the receiving organization-defined information system or system component provides organization-defined security safeguards; and" AC-3(9)[4](b) "the organization-defined security safeguards are used to validate the appropriateness of the information designated for release." ACCESS CONTROL AC-3(10) AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS "Determine if the organization: " Access control policy;procedures addressing access enforcement;information system design documentation;information system configuration settings and associated documentation;conditions for employing audited override of automated access control mechanisms;information system audit records;other relevant documents or records Automated mechanisms implementing access enforcement functions Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities AC-3(10)[1] "defines conditions under which to employ an audited override of automated access control mechanisms; and" AC-3(10)[2] "employs an audited override of automated access control mechanisms under organization-defined conditions." ACCESS CONTROL AC-4 INFORMATION FLOW ENFORCEMENT "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;information system baseline configuration;list of information flow authorizations;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4[1] "the organization defines information flow control policies to control the flow of information within the system and between interconnected systems; and" AC-4[2] "the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies." ACCESS CONTROL AC-4(1) OBJECT SECURITY ATTRIBUTES "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of security attributes and associated information, source, and destination objects enforcing information flow control policies;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(1)[1] "the organization defines information flow control policies as a basis for flow control decisions;" AC-4(1)[2] "the organization defines security attributes to be associated with information, source, and destination objects;" AC-4(1)[3] "the organization defines the following objects to be associated with organization-defined security attributes:" AC-4(1)[3][a] "information;" AC-4(1)[3][b] "source;" AC-4(1)[3][c] "destination; and" AC-4(1)[4] "the information system uses organization-defined security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions." ACCESS CONTROL AC-4(2) PROCESSING DOMAINS "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system security architecture and associated documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities AC-4(2)[1] "the organization defines information flow control policies as a basis for flow control decisions; and" AC-4(2)[2] "the information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions." ACCESS CONTROL AC-4(3) DYNAMIC INFORMATION FLOW CONTROL "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system security architecture and associated documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(3)[1] "the organization defines policies to enforce dynamic information flow control; and" AC-4(3)[2] "the information system enforces dynamic information flow control based on organization-defined policies." ACCESS CONTROL AC-4(4) CONTENT CHECK ENCRYPTED INFORMATION "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(4)[1] "the organization defines a procedure or method to be employed to prevent encrypted information from bypassing content-checking mechanisms;" AC-4(4)[2] "the information system prevents encrypted information from bypassing content-checking mechanisms by doing one or more of the following:" AC-4(4)[2][a] "decrypting the information;" AC-4(4)[2][b] "blocking the flow of the encrypted information;" AC-4(4)[2][c] "terminating communications sessions attempting to pass encrypted information; and/or" AC-4(4)[2][d] "employing the organization-defined procedure or method." ACCESS CONTROL AC-4(5) EMBEDDED DATA TYPES "Determine if:" Access control policy;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of limitations to be enforced on embedding data types within other data types;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(5)[1] "the organization defines limitations to be enforced on embedding data types within other data types; and" AC-4(5)[2] "the information system enforces organization-defined limitations on embedding data types within other data types." ACCESS CONTROL AC-4(6) METADATA "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;types of metadata used to enforce information flow control decisions;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(6)[1] "the organization defines metadata to be used as a means of enforcing information flow control; and" AC-4(6)[2] "the information system enforces information flow control based on organization-defined metadata." ACCESS CONTROL AC-4(7) ONE-WAY FLOW MECHANISMS "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;information system hardware mechanisms and associated configurations;information system audit records;other relevant documents or records Hardware mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(7)[1] "the organization defines one-way information flows to be enforced by the information system; and" AC-4(7)[2] "the information system enforces organization-defined one-way information flows using hardware mechanisms." ACCESS CONTROL AC-4(8) SECURITY POLICY FILTERS "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of security policy filters regulating flow control decisions;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(8)[1] "the organization defines security policy filters to be used as a basis for enforcing flow control decisions;" AC-4(8)[2] "the organization defines information flows for which flow control decisions are to be applied and enforced; and" AC-4(8)[3] "the information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows." ACCESS CONTROL AC-4(9) HUMAN REVIEWS "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;records of human reviews regarding information flows;list of conditions requiring human reviews for information flows;information system audit records;other relevant documents or records Automated mechanisms enforcing the use of human reviews System/network administrators;organizational personnel with information security responsibilities;organizational personnel with information flow enforcement responsibilities;system developers AC-4(9)[1] "the organization defines information flows requiring the use of human reviews;" AC-4(9)[2] "the organization defines conditions under which the use of human reviews for organization-defined information flows is to be enforced; and" AC-4(9)[3] "the information system enforces the use of human reviews for organization-defined information flows under organization-defined conditions." ACCESS CONTROL AC-4(10) ENABLE / DISABLE SECURITY POLICY FILTERS "Determine if:" Access control policy;information flow information policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of security policy filters enabled/disabled by privileged administrators;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy Organizational personnel with responsibilities for enabling/disabling security policy filters;system/network administrators;organizational personnel with information security responsibilities;system developers AC-4(10)[1] "the organization defines security policy filters that privileged administrators have the capability to enable/disable;" AC-4(10)[2] "the organization-defined conditions under which privileged administrators have the capability to enable/disable organization-defined security policy filters; and" AC-4(10)[3] "the information system provides the capability for privileged administrators to enable/disable organization-defined security policy filters under organization-defined conditions." ACCESS CONTROL AC-4(11) CONFIGURATION OF SECURITY POLICY FILTERS "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of security policy filters;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy Organizational personnel with responsibilities for configuring security policy filters;system/network administrators;organizational personnel with information security responsibilities;system developers AC-4(11)[1] "the organization defines security policy filters that privileged administrators have the capability to configure to support different security policies; and" AC-4(11)[2] "the information system provides the capability for privileged administrators to configure organization-defined security policy filters to support different security policies." ACCESS CONTROL AC-4(12) DATA TYPE IDENTIFIERS "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of data type identifiers;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(12)[1] "the organization defines data type identifiers to be used, when transferring information between different security domains, to validate data essential for information flow decisions; and" AC-4(12)[2] "the information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions." ACCESS CONTROL AC-4(13) DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(13)[1] "the organization defines policy-relevant subcomponents to decompose information for submission to policy enforcement mechanisms when transferring such information between different security domains; and" AC-4(13)[2] "the information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms." ACCESS CONTROL AC-4(14) SECURITY POLICY FILTER CONSTRAINTS "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of security policy filters;list of data content policy filters;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(14)[1] "the organization defines security policy filters to be implemented that require fully enumerated formats restricting data structure and content when transferring information between different security domains; and" AC-4(14)[2] "the information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content." ACCESS CONTROL AC-4(15) DETECTION OF UNSANCTIONED INFORMATION "Determine if:" Access control policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of unsanctioned information types and associated information;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy Organizational personnel with information security responsibilities;system developers AC-4(15)[1] "the organization defines unsanctioned information to be detected when transferring information between different security domains;" AC-4(15)[2] "the organization defines the security policy that requires the transfer of organization-defined unsanctioned information between different security domains to be prohibited when the presence of such information is detected; and" AC-4(15)[3] "the information system, when transferring information between different security domains, examines the information for the presence of organization-defined unsanctioned information and prohibits the transfer of such information in accordance with the organization-defined security policy." ACCESS CONTROL AC-4(16) INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS "[Withdrawn: Incorporated into AC-4]." ACCESS CONTROL AC-4(17) DOMAIN AUTHENTICATION "Determine if the information system uniquely identifies and authenticates: " Access control policy;information flow control policies;procedures addressing information flow enforcement;procedures addressing source and destination domain identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement policy System/network administrators;organizational personnel with information security responsibilities;system developers AC-4(17)[1] AC-4(17)[1][a] "source points for information transfer;" AC-4(17)[1][b] "destination points for information transfer;" AC-4(17)[2] "by one or more of the following:" AC-4(17)[2][a] "organization;" AC-4(17)[2][b] "system;" AC-4(17)[2][c] "application; and/or" AC-4(17)[2][d] "individual." ACCESS CONTROL AC-4(18) SECURITY ATTRIBUTE BINDING "Determine if: " Information flow enforcement policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of binding techniques to bind security attributes to information;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement functions Organizational personnel with information flow enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-4(18)[1] "the organization defines binding techniques to be used to facilitate information flow policy enforcement; and" AC-4(18)[2] "the information system binds security attributes to information using organization-defined binding techniques to facilitate information flow policy enforcement." ACCESS CONTROL AC-4(19) VALIDATION OF METADATA "Determine if the information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads. " Information flow enforcement policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of security policy filtering criteria applied to metadata and data payloads;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement functions Organizational personnel with information flow enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-4(20) APPROVED SOLUTIONS "Determine if the organization:" Information flow enforcement policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of solutions in approved configurations;approved configuration baselines;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement functions Organizational personnel with information flow enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities AC-4(20)[1] "defines solutions in approved configurations to control the flow of information across security domains;" AC-4(20)[2] "defines information for which organization-defined solutions in approved configurations are to be employed to control the flow of such information across security domains; and" AC-4(20)[3] "employs organization-defined solutions in approved configurations to control the flow of organization-defined information across security domains." ACCESS CONTROL AC-4(21) PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS "Determine if: " Information flow enforcement policy;information flow control policies;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;list of required separation of information flows by information types;list of mechanisms and/or techniques used to logically or physically separate information flows;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement functions Organizational personnel with information flow enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-4(21)[1] "the organization defines the required separations of information flows by types of information;" AC-4(21)[2] "the organization defines the mechanisms and/or techniques to be used to separate information flows logically or physically; and" AC-4(21)[3] "the information system separates information flows logically or physically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations by types of information." ACCESS CONTROL AC-4(22) ACCESS ONLY "Determine if the information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains. " Information flow enforcement policy;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing information flow enforcement functions Organizational personnel with information flow enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities ACCESS CONTROL AC-5 SEPARATION OF DUTIES "Determine if the organization:" Access control policy;procedures addressing divisions of responsibility and separation of duties;information system configuration settings and associated documentation;list of divisions of responsibility and separation of duties;information system access authorizations;information system audit records;other relevant documents or records Automated mechanisms implementing separation of duties policy Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties;organizational personnel with information security responsibilities;system/network administrators AC-5(a) AC-5(a)[1] "defines duties of individuals to be separated;" AC-5(a)[2] "separates organization-defined duties of individuals;" AC-5(b) "documents separation of duties; and" AC-5(c) "defines information system access authorizations to support separation of duties." ACCESS CONTROL AC-6 LEAST PRIVILEGE "Determine if the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. " Access control policy;procedures addressing least privilege;list of assigned access authorizations (user privileges);information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing least privilege functions Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities;system/network administrators ACCESS CONTROL AC-6(1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS "Determine if the organization: " Access control policy;procedures addressing least privilege;list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing least privilege functions Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities;system/network administrators AC-6(1)[1] "defines security-relevant information for which access must be explicitly authorized;" AC-6(1)[2] "defines security functions deployed in:" AC-6(1)[2][a] "hardware;" AC-6(1)[2][b] "software;" AC-6(1)[2][c] "firmware;" AC-6(1)[3] "explicitly authorizes access to:" AC-6(1)[3][a] "organization-defined security functions; and" AC-6(1)[3][b] "security-relevant information." ACCESS CONTROL AC-6(2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS "Determine if the organization:" Access control policy;procedures addressing least privilege;list of system-generated security functions or security-relevant information assigned to information system accounts or roles;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing least privilege functions Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities;system/network administrators AC-6(2)[1] "defines security functions or security-relevant information to which users of information system accounts, or roles, have access; and" AC-6(2)[2] "requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions." ACCESS CONTROL AC-6(3) NETWORK ACCESS TO PRIVILEGED COMMANDS "Determine if the organization:" Access control policy;procedures addressing least privilege;security plan;information system configuration settings and associated documentation;information system audit records;list of operational needs for authorizing network access to privileged commands;other relevant documents or records Automated mechanisms implementing least privilege functions Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities AC-6(3)[1] "defines privileged commands to which network access is to be authorized only for compelling operational needs;" AC-6(3)[2] "defines compelling operational needs for which network access to organization-defined privileged commands are to be solely authorized;" AC-6(3)[3] "authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs; and" AC-6(3)[4] "documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system." ACCESS CONTROL AC-6(4) SEPARATE PROCESSING DOMAINS "Determine if the information system provides separate processing domains to enable finer-grained allocation of user privileges." Access control policy;procedures addressing least privilege;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing least privilege functions Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-6(5) PRIVILEGED ACCOUNTS "Determine if the organization:" Access control policy;procedures addressing least privilege;list of system-generated privileged accounts;list of system administration personnel;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing least privilege functions Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities;system/network administrators AC-6(5)[1] "defines personnel or roles for which privileged accounts on the information system are to be restricted; and" AC-6(5)[2] "restricts privileged accounts on the information system to organization-defined personnel or roles." ACCESS CONTROL AC-6(6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS "Determine if the organization prohibits privileged access to the information system by non-organizational users. " Access control policy;procedures addressing least privilege;list of system-generated privileged accounts;list of non-organizational users;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms prohibiting privileged access to the information system Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities;system/network administrators ACCESS CONTROL AC-6(7) REVIEW OF USER PRIVILEGES "Determine if the organization: " Access control policy;procedures addressing least privilege;list of system-generated roles or classes of users and assigned privileges;information system design documentation;information system configuration settings and associated documentation;validation reviews of privileges assigned to roles or classes or users;records of privilege removals or reassignments for roles or classes of users;information system audit records;other relevant documents or records Automated mechanisms implementing review of user privileges Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities;system/network administrators AC-6(7)(a) AC-6(7)(a)[1] "defines roles or classes of users to which privileges are assigned;" AC-6(7)(a)[2] "defines the frequency to review the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges;" AC-6(7)(a)[3] "reviews the privileges assigned to organization-defined roles or classes of users with the organization-defined frequency to validate the need for such privileges; and" AC-6(7)(b) "reassigns or removes privileges, if necessary, to correctly reflect organizational missions/business needs." ACCESS CONTROL AC-6(8) PRIVILEGE LEVELS FOR CODE EXECUTION "Determine if: " Access control policy;procedures addressing least privilege;list of software that should not execute at higher privilege levels than users executing software;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing least privilege functions for software execution Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities;system/network administrators;system developers AC-6(8)[1] "the organization defines software that should not execute at higher privilege levels than users executing the software; and" AC-6(8)[2] "the information system prevents organization-defined software from executing at higher privilege levels than users executing the software." ACCESS CONTROL AC-6(9) AUDITING USE OF PRIVILEGED FUNCTIONS "Determine if the information system audits the execution of privileged functions. " Access control policy;procedures addressing least privilege;information system design documentation;information system configuration settings and associated documentation;list of privileged functions to be audited;list of audited events;information system audit records;other relevant documents or records Automated mechanisms auditing the execution of least privilege functions Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities;system/network administrators;system developers ACCESS CONTROL AC-6(10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS "Determine if the information system prevents non-privileged users from executing privileged functions to include:" Access control policy;procedures addressing least privilege;information system design documentation;information system configuration settings and associated documentation;list of privileged functions and associated user account assignments;information system audit records;other relevant documents or records Automated mechanisms implementing least privilege functions for non-privileged users Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks;organizational personnel with information security responsibilities;system developers AC-6(10)[1] "disabling implemented security safeguards/countermeasures;" AC-6(10)[2] "circumventing security safeguards/countermeasures; or" AC-6(10)[3] "altering implemented security safeguards/countermeasures." ACCESS CONTROL AC-7 UNSUCCESSFUL LOGIN ATTEMPTS "Determine if: " Access control policy;procedures addressing unsuccessful logon attempts;security plan;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing access control policy for unsuccessful logon attempts Organizational personnel with information security responsibilities;system developers;system/network administrators AC-7(a) AC-7(a)[1] "the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;" AC-7(a)[2] "the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;" AC-7(a)[3] "the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;" AC-7(b) AC-7(b)[1] "the organization defines account/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;" AC-7(b)[2] "the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:" AC-7(b)[2][a] "locks the account/node for the organization-defined time period;" AC-7(b)[2][b] "locks the account/node until released by an administrator; or" AC-7(b)[2][c] "delays next logon prompt according to the organization-defined delay algorithm." ACCESS CONTROL AC-7(1) AUTOMATIC ACCOUNT LOCK "[Withdrawn: Incorporated into AC-7]." ACCESS CONTROL AC-7(2) PURGE / WIPE MOBILE DEVICE "Determine if:" Access control policy;procedures addressing unsuccessful login attempts on mobile devices;information system design documentation;information system configuration settings and associated documentation;list of mobile devices to be purged/wiped after organization-defined consecutive, unsuccessful device logon attempts;list of purging/wiping requirements or techniques for mobile devices;information system audit records;other relevant documents or records Automated mechanisms implementing access control policy for unsuccessful device logon attempts System/network administrators;organizational personnel with information security responsibilities AC-7(2)[1] "the organization defines mobile devices to be purged/wiped after organization-defined number of consecutive, unsuccessful device logon attempts;" AC-7(2)[2] "the organization defines purging/wiping requirements/techniques to be used when organization-defined mobile devices are purged/wiped after organization-defined number of consecutive, unsuccessful device logon attempts;" AC-7(2)[3] "the organization defines the number of consecutive, unsuccessful logon attempts allowed for accessing mobile devices before the information system purges/wipes information from such devices; and" AC-7(2)[4] "the information system purges/wipes information from organization-defined mobile devices based on organization-defined purging/wiping requirements/techniques after organization-defined number of consecutive, unsuccessful logon attempts." ACCESS CONTROL AC-8 SYSTEM USE NOTIFICATION "Determine if:" Access control policy;privacy and security policies, procedures addressing system use notification;documented approval of information system use notification messages or banners;information system audit records;user acknowledgements of notification message or banner;information system design documentation;information system configuration settings and associated documentation;information system use notification messages;other relevant documents or records Automated mechanisms implementing system use notification System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibility for providing legal advice;system developers AC-8(a) AC-8(a)[1] "the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;" AC-8(a)[2] "the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:" AC-8(a)[2](1) "users are accessing a U.S. Government information system;" AC-8(a)[2](2) "information system usage may be monitored, recorded, and subject to audit;" AC-8(a)[2](3) "unauthorized use of the information system is prohibited and subject to criminal and civil penalties;" AC-8(a)[2](4) "use of the information system indicates consent to monitoring and recording;" AC-8(b) "the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;" AC-8(c) "for publicly accessible systems:" AC-8(c)(1) AC-8(c)(1)[1] "the organization defines conditions for system use to be displayed by the information system before granting further access;" AC-8(c)(1)[2] "the information system displays organization-defined conditions before granting further access;" AC-8(c)(2) "the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and" AC-8(c)(3) "the information system includes a description of the authorized uses of the system." ACCESS CONTROL AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION "Determine if the information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access)." Access control policy;procedures addressing previous logon notification;information system design documentation;information system configuration settings and associated documentation;information system notification messages;other relevant documents or records Automated mechanisms implementing access control policy for previous logon notification System/network administrators;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-9(1) UNSUCCESSFUL LOGONS "Determine if the information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. " Access control policy;procedures addressing previous logon notification;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing access control policy for previous logon notification System/network administrators;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-9(2) SUCCESSFUL / UNSUCCESSFUL LOGONS "Determine if:" Access control policy;procedures addressing previous logon notification;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing access control policy for previous logon notification System/network administrators;organizational personnel with information security responsibilities;system developers AC-9(2)[1] "the organization defines the time period within which the information system must notify the user of the number of:" AC-9(2)[1][a] "successful logons/accesses; and/or" AC-9(2)[1][b] "unsuccessful logon/access attempts;" AC-9(2)[2] "the information system, during the organization-defined time period, notifies the user of the number of:" AC-9(2)[2][a] "successful logons/accesses; and/or" AC-9(2)[2][b] "unsuccessful logon/access attempts." ACCESS CONTROL AC-9(3) NOTIFICATION OF ACCOUNT CHANGES "Determine if:" Access control policy;procedures addressing previous logon notification;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing access control policy for previous logon notification System/network administrators;organizational personnel with information security responsibilities;system developers AC-9(3)[1] "the organization defines security-related characteristics/parameters of a user’s account;" AC-9(3)[2] "the organization defines the time period within which changes to organization-defined security-related characteristics/parameters of a user’s account must occur; and" AC-9(3)[3] "the information system notifies the user of changes to organization-defined security-related characteristics/parameters of the user’s account during the organization-defined time period." ACCESS CONTROL AC-9(4) ADDITIONAL LOGON INFORMATION "Determine if:" Access control policy;procedures addressing previous logon notification;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing access control policy for previous logon notification System/network administrators;organizational personnel with information security responsibilities;system developers AC-9(4)[1] "the organization defines information to be included in addition to the date and time of the last logon (access); and" AC-9(4)[2] "the information system notifies the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access)." ACCESS CONTROL AC-10 CONCURRENT SESSION CONTROL " Determine if:" Access control policy;procedures addressing concurrent session control;information system design documentation;information system configuration settings and associated documentation;security plan;other relevant documents or records Automated mechanisms implementing access control policy for concurrent session control System/network administrators;organizational personnel with information security responsibilities;system developers AC-10[1] "the organization defines account and/or account types for the information system;" AC-10[2] "the organization defines the number of concurrent sessions to be allowed for each organization-defined account and/or account type; and" AC-10[3] "the information system limits the number of concurrent sessions for each organization-defined account and/or account type to the organization-defined number of concurrent sessions allowed." ACCESS CONTROL AC-11 SESSION LOCK " Determine if:" Access control policy;procedures addressing session lock;procedures addressing identification and authentication;information system design documentation;information system configuration settings and associated documentation;security plan;other relevant documents or records Automated mechanisms implementing access control policy for session lock System/network administrators;organizational personnel with information security responsibilities;system developers AC-11(a) AC-11(a)[1] "the organization defines the time period of user inactivity after which the information system initiates a session lock;" AC-11(a)[2] "the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user; and" AC-11(b) "the information system retains the session lock until the user reestablishes access using established identification and authentication procedures." ACCESS CONTROL AC-11(1) PATTERN-HIDING DISPLAYS "Determine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image." Access control policy;procedures addressing session lock;display screen with session lock activated;information system design documentation;information system configuration settings and associated documentation;other relevant documents or records Information system session lock mechanisms System/network administrators;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-12 SESSION TERMINATION "Determine if:" Access control policy;procedures addressing session termination;information system design documentation;information system configuration settings and associated documentation;list of conditions or trigger events requiring session disconnect;information system audit records;other relevant documents or records Automated mechanisms implementing user session termination System/network administrators;organizational personnel with information security responsibilities;system developers AC-12[1] "the organization defines conditions or trigger events requiring session disconnect; and" AC-12[2] "the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs." ACCESS CONTROL AC-12(1) USER-INITIATED LOGOUTS/MESSAGE DISPLAYS "Determine if:" Access control policy;procedures addressing session termination;user logout messages;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Information system session lock mechanisms System/network administrators;organizational personnel with information security responsibilities;system developers AC-12(1)(a) AC-12(1)(a)[1] "the organization defines information resources for which user authentication is required to gain access to such resources;" AC-12(1)(a)[2] "the information system provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources; and" AC-12(1)(b) "the information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions." ACCESS CONTROL AC-13 SUPERVISION AND REVIEW – ACCESS CONTROL "[Withdrawn: Incorporated into AC-2 and AU-6]." ACCESS CONTROL AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION "Determine if the organization:" Access control policy;procedures addressing permitted actions without identification or authentication;information system configuration settings and associated documentation;security plan;list of user actions that can be performed without identification or authentication;information system audit records;other relevant documents or records System/network administrators;organizational personnel with information security responsibilities AC-14(a) AC-14(a)[1] "defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions;" AC-14(a)[2] "identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and" AC-14(b) "documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication." ACCESS CONTROL AC-14(1) NECESSARY USES "[Withdrawn: Incorporated into AC-14]." ACCESS CONTROL AC-15 AUTOMATED MARKING "[Withdrawn: Incorporated into MP-3]." ACCESS CONTROL AC-16 SECURITY ATTRIBUTES "Determine if the organization:" Access control policy;procedures addressing the association of security attributes to information in storage, in process, and in transmission;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational capability supporting and maintaining the association of security attributes to information in storage, in process, and in transmission System/network administrators;organizational personnel with information security responsibilities;system developers AC-16(a) AC-16(a)[1] "defines types of security attributes to be associated with information:" AC-16(a)[1][a] "in storage;" AC-16(a)[1][b] "in process; and/or" AC-16(a)[1][c] "in transmission;" AC-16(a)[2] "defines security attribute values for organization-defined types of security attributes;" AC-16(a)[3] "provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information:" AC-16(a)[3][a] "in storage;" AC-16(a)[3][b] "in process; and/or" AC-16(a)[3][c] "in transmission;" AC-16(b) "ensures that the security attribute associations are made and retained with the information;" AC-16(c) AC-16(c)[1] "defines information systems for which the permitted organization-defined security attributes are to be established;" AC-16(c)[2] "defines security attributes that are permitted for organization-defined information systems;" AC-16(c)[3] "establishes the permitted organization-defined security attributes for organization-defined information systems;" AC-16(d) AC-16(d)[1] "defines values or ranges for each of the established security attributes; and" AC-16(d)[2] "determines the permitted organization-defined values or ranges for each of the established security attributes." ACCESS CONTROL AC-16(1) DYNAMIC ATTRIBUTE ASSOCIATION "Determine if: " Access control policy;procedures addressing dynamic association of security attributes to information;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing dynamic association of security attributes to information System/network administrators;organizational personnel with information security responsibilities;system developers AC-16(1)[1] "the organization defines subjects and objects to which security attributes are to be dynamically associated as information is created and combined;" AC-16(1)[2] "the organization defines security policies requiring the information system to dynamically associate security attributes with organization-defined subjects and objects; and" AC-16(1)[3] "the information system dynamically associates security attributes with organization-defined subjects and objects in accordance with organization-defined security policies as information is created and combined." ACCESS CONTROL AC-16(2) ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS "Determine if the information system provides authorized individuals (or processes acting on behalf on individuals) the capability to define or change the value of associated security attributes. " Access control policy;procedures addressing the change of security attribute values;information system design documentation;information system configuration settings and associated documentation;list of individuals authorized to change security attributes;information system audit records;other relevant documents or records Automated mechanisms permitting changes to values of security attributes Organizational personnel with responsibilities for changing values of security attributes;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-16(3) MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEM "Determine if:" Access control policy;procedures addressing the association of security attributes to information;information system design documentation;information system configuration settings and associated documentation;other relevant documents or records Automated mechanisms maintaining association and integrity of security attributes to information Organizational personnel with information security responsibilities;system developers AC-16(3)[1] "the organization defines security attributes to be associated with organization-defined subjects and objects;" AC-16(3)[2] "the organization defines subjects and objects requiring the association and integrity of security attributes to such subjects and objects to be maintained; and" AC-16(3)[3] "the information system maintains the association and integrity of organization-defined security attributes to organization-defined subjects and objects." ACCESS CONTROL AC-16(4) ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS "Determine if:" Access control policy;procedures addressing the association of security attributes to information;information system design documentation;information system configuration settings and associated documentation;list of users authorized to associate security attributes to information;information system audit records;other relevant documents or records Automated mechanisms supporting user associations of security attributes to information Organizational personnel with responsibilities for associating security attributes to information;organizational personnel with information security responsibilities;system developers AC-16(4)[1] "the organization defines security attributes to be associated with subjects and objects by authorized individuals (or processes acting on behalf of individuals);" AC-16(4)[2] "the organization defines subjects and objects requiring the association of organization-defined security attributes by authorized individuals (or processes acting on behalf of individuals); and" AC-16(4)[3] "the information system supports the association of organization-defined security attributes with organization-defined subjects and objects by authorized individuals (or processes acting on behalf of individuals)." ACCESS CONTROL AC-16(5) ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES "Determine if:" Access control policy;procedures addressing display of security attributes in human-readable form;special dissemination, handling, or distribution instructions;types of human-readable, standard naming conventions;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records System output devices displaying security attributes in human-readable form on each object Organizational personnel with information security responsibilities;system developers AC-16(5)[1] "the organization identifies special dissemination, handling, or distribution instructions to be used for each object that the information system transmits to output devices;" AC-16(5)[2] "the organization identifies human-readable, standard naming conventions for the security attributes to be displayed in human-readable form on each object that the information system transmits to output devices; and" AC-16(5)[3] "the information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions." ACCESS CONTROL AC-16(6) MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION "Determine if the organization: " Access control policy;procedures addressing association of security attributes with subjects and objects;other relevant documents or records Automated mechanisms supporting associations of security attributes to subjects and objects Organizational personnel with responsibilities for associating and maintaining association of security attributes with subjects and objects;organizational personnel with information security responsibilities;system developers AC-16(6)[1] "defines security attributes to be associated with subjects and objects;" AC-16(6)[2] "defines subjects and objects to be associated with organization-defined security attributes;" AC-16(6)[3] "defines security policies to allow personnel to associate, and maintain the association of organization-defined security attributes with organization-defined subjects and objects; and" AC-16(6)[4] "allows personnel to associate, and maintain the association of organization-defined security attributes with organization-defined subjects and objects in accordance with organization-defined security policies." ACCESS CONTROL AC-16(7) CONSISTENT ATTRIBUTE INTERPRETATION "Determine if the organization provides a consistent interpretation of security attributes transmitted between distributed information system components. " Access control policy;procedures addressing consistent interpretation of security attributes transmitted between distributed information system components;procedures addressing access enforcement;procedures addressing information flow enforcement;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing access enforcement and information flow enforcement functions Organizational personnel with responsibilities for providing consistent interpretation of security attributes used in access enforcement and information flow enforcement actions;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-16(8) ASSOCIATION TECHNIQUES/TECHNOLOGIES "Determine if: " Access control policy;procedures addressing association of security attributes to information;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing techniques or technologies associating security attributes to information Organizational personnel with responsibilities for associating security attributes to information;organizational personnel with information security responsibilities;system developers AC-16(8)[1] "the organization defines techniques or technologies to be implemented in associating security attributes to information;" AC-16(8)[2] "the organization defines level of assurance to be provided when the information system implements organization-defined technologies or technologies to associate security attributes to information; and" AC-16(8)[3] "the information system implements organization-defined techniques or technologies with organization-defined level of assurance in associating security attributes to information." ACCESS CONTROL AC-16(9) ATTRIBUTE REASSIGNMENT "Determine if the organization: " Access control policy;procedures addressing reassignment of security attributes to information;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing techniques or procedures for reassigning association of security attributes to information Organizational personnel with responsibilities for reassigning association of security attributes to information;organizational personnel with information security responsibilities;system developers AC-16(9)[1] "defines techniques or procedures to validate re-grading mechanisms used to reassign association of security attributes with information; and" AC-16(9)[2] "ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using organization-defined techniques or procedures." ACCESS CONTROL AC-16(10) ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS "Determine if the information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. " Access control policy;procedures addressing configuration of security attributes by authorized individuals;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing capability for defining or changing security attributes Organizational personnel with responsibilities for defining or changing security attributes associated with information;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-17 REMOTE ACCESS "Determine if the organization:" Access control policy;procedures addressing remote access implementation and usage (including restrictions);configuration management plan;security plan;information system configuration settings and associated documentation;remote access authorizations;information system audit records;other relevant documents or records Remote access management capability for the information system Organizational personnel with responsibilities for managing remote access connections;system/network administrators;organizational personnel with information security responsibilities AC-17(a) AC-17(a)[1] "identifies the types of remote access allowed to the information system;" AC-17(a)[2] "establishes for each type of remote access allowed:" AC-17(a)[2][a] "usage restrictions;" AC-17(a)[2][b] "configuration/connection requirements;" AC-17(a)[2][c] "implementation guidance;" AC-17(a)[3] "documents for each type of remote access allowed:" AC-17(a)[3][a] "usage restrictions;" AC-17(a)[3][b] "configuration/connection requirements;" AC-17(a)[3][c] "implementation guidance; and" AC-17(b) "authorizes remote access to the information system prior to allowing such connections." ACCESS CONTROL AC-17(1) AUTOMATED MONITORING/CONTROL "Determine if the information system monitors and controls remote access methods. " Access control policy;procedures addressing remote access to the information system;information system design documentation;information system configuration settings and associated documentation;information system audit records;information system monitoring records;other relevant documents or records Automated mechanisms monitoring and controlling remote access methods System/network administrators;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-17(2) PROTECTION OF CONFIDENTIALITY/INTEGRITY USING ENCRYPTION "Determine if the information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. " Access control policy;procedures addressing remote access to the information system;information system design documentation;information system configuration settings and associated documentation;cryptographic mechanisms and associated configuration documentation;information system audit records;other relevant documents or records Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions System/network administrators;organizational personnel with information security responsibilities;system developers ACCESS CONTROL AC-17(3) MANAGED ACCESS CONTROL POINTS "Determine if:" Access control policy;procedures addressing remote access to the information system;information system design documentation;list of all managed network access control points;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms routing all remote accesses through managed network access control points System/network administrators;organizational personnel with information security responsibilities AC-17(3)[1] "the organization defines the number of managed network access control points through which all remote accesses are to be routed; and" AC-17(3)[2] "the information system routes all remote accesses through the organization-defined number of managed network access control points." ACCESS CONTROL AC-17(4) PRIVILEGED COMMANDS / ACCESS "Determine if the organization:" Access control policy;procedures addressing remote access to the information system;information system configuration settings and associated documentation;security plan;information system audit records;other relevant documents or records Automated mechanisms implementing remote access management System/network administrators;organizational personnel with information security responsibilities AC-17(4)(a) AC-17(4)(a)[1] "defines needs to authorize the execution of privileged commands and access to security-relevant information via remote access;" AC-17(4)(a)[2] "authorizes the execution of privileged commands and access to security-relevant information via remote access only for organization-defined needs; and" AC-17(4)(b) "documents the rationale for such access in the information system security plan." ACCESS CONTROL AC-17(5) MONITORING FOR UNAUTHORIZED CONNECTIONS "[Withdrawn: Incorporated into SI-4]." ACCESS CONTROL AC-17(6) PROTECTION OF INFORMATION "Determine if the organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure." Access control policy;procedures addressing remote access to the information system;other relevant documents or records Organizational personnel with responsibilities for implementing or monitoring remote access to the information system;information system users with knowledge of information about remote access mechanisms;organizational personnel with information security responsibilities ACCESS CONTROL AC-17(7) ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS "[Withdrawn: Incorporated into AC-3 (10)]." ACCESS CONTROL AC-17(8) DISABLE NONSECURE NETWORK PROTOCOLS "[Withdrawn: Incorporated into CM-7]." ACCESS CONTROL AC-17(9) DISCONNECT/DISABLE ACCESS "Determine if the organization:" Access control policy;procedures addressing disconnecting or disabling remote access to the information system;information system design documentation;information system configuration settings and associated documentation;security plan, information system audit records;other relevant documents or records Automated mechanisms implementing capability to disconnect or disable remote access to information system System/network administrators;organizational personnel with information security responsibilities;system developers AC-17(9)[1] "defines the time period within which to expeditiously disconnect or disable remote access to the information system; and" AC-17(9)[2] "provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period." ACCESS CONTROL AC-18 WIRELESS ACCESS "Determine if the organization:" Access control policy;procedures addressing wireless access implementation and usage (including restrictions);configuration management plan;security plan;information system design documentation;information system configuration settings and associated documentation;wireless access authorizations;information system audit records;other relevant documents or records Wireless access management capability for the information system Organizational personnel with responsibilities for managing wireless access connections;organizational personnel with information security responsibilities AC-18(a) "establishes for wireless access:" AC-18(a)[1] "usage restrictions;" AC-18(a)[2] "configuration/connection requirement;" AC-18(a)[3] "implementation guidance; and" AC-18(b) "authorizes wireless access to the information system prior to allowing such connections." ACCESS CONTROL AC-18(1) AUTHENTICATION AND ENCRYPTION "Determine if the information system protects wireless access to the system using encryption and one or more of the following:" Access control policy;procedures addressing wireless implementation and usage (including restrictions);information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing wireless access protections to the information system System/network administrators;organizational personnel with information security responsibilities;system developers AC-18(1)[1] "authentication of users; and/or" AC-18(1)[2] "authentication of devices." ACCESS CONTROL AC-18(2) MONITORING UNAUTHORIZED CONNECTIONS "[Withdrawn: Incorporated into SI-4]." ACCESS CONTROL AC-18(3) DISABLE WIRELESS NETWORKING "Determine if the organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment." Access control policy;procedures addressing wireless implementation and usage (including restrictions);information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms managing the disabling of wireless networking capabilities internally embedded within information system components System/network administrators;organizational personnel with information security responsibilities ACCESS CONTROL AC-18(4) RESTRICT CONFIGURATIONS BY USERS "Determine if the organization:" Access control policy;procedures addressing wireless implementation and usage (including restrictions);information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms authorizing independent user configuration of wireless networking capabilities System/network administrators;organizational personnel with information security responsibilities AC-18(4)[1] "identifies users allowed to independently configure wireless networking capabilities; and" AC-18(4)[2] "explicitly authorizes the identified users allowed to independently configure wireless networking capabilities." ACCESS CONTROL AC-18(5) ANTENNAS/TRANSMISSION POWER LEVELS "Determine if the organization: " Access control policy;procedures addressing wireless implementation and usage (including restrictions);information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Wireless access capability protecting usable signals from unauthorized access outside organization-controlled boundaries System/network administrators;organizational personnel with information security responsibilities AC-18(5)[1] "selects radio antennas to reduce the probability that usable signals can be received outside of organization-controlled boundaries; and" AC-18(5)[2] "calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries." ACCESS CONTROL AC-19 ACCESS CONTROL FOR MOBILE DEVICES " Determine if the organization:" Access control policy;procedures addressing access control for mobile device usage (including restrictions);configuration management plan;security plan;information system design documentation;information system configuration settings and associated documentation;authorizations for mobile device connections to organizational information systems;information system audit records;other relevant documents or records Access control capability authorizing mobile device connections to organizational information systems Organizational personnel using mobile devices to access organizational information systems;system/network administrators;organizational personnel with information security responsibilities AC-19(a) "establishes for organization-controlled mobile devices:" AC-19(a)[1] "usage restrictions;" AC-19(a)[2] "configuration/connection requirement;" AC-19(a)[3] "implementation guidance; and" AC-19(b) "authorizes the connection of mobile devices to organizational information systems." ACCESS CONTROL AC-19(1) USE OF WRITABLE/PORTABLE STORAGE DEVICES "[Withdrawn: Incorporated into MP-7]." ACCESS CONTROL AC-19(2) USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES "[Withdrawn: Incorporated into MP-7]." ACCESS CONTROL AC-19(3) USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER "[Withdrawn: Incorporated into MP-7]." ACCESS CONTROL AC-19(4) RESTRICTIONS FOR CLASSIFIED INFORMATION "Determine if the organization:" Access control policy;incident handling policy;procedures addressing access control for mobile devices;information system design documentation;information system configuration settings and associated documentation;evidentiary documentation for random inspections and reviews of mobile devices;information system audit records;other relevant documents or records Automated mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices Organizational personnel responsible for random reviews/inspections of mobile devices;organizational personnel using mobile devices in facilities containing information systems processing, storing, or transmitting classified information;organizational personnel with incident response responsibilities;system/network administrators;organizational personnel with information security responsibilities AC-19(4)(a) "prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official;" AC-19(4)(b) "enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:" AC-19(4)(b)(1) "connection of unclassified mobile devices to classified information systems is prohibited;" AC-19(4)(b)(2) "connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;" AC-19(4)(b)(3) "use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited;" AC-19(4)(b)(4) AC-19(4)(b)(4)[1] "defines security officials responsible for reviews and inspections of unclassified mobile devices and the information stored on those devices;" AC-19(4)(b)(4)[2] "unclassified mobile devices and the information stored on those devices are subject to random reviews/inspections by organization-defined security officials;" AC-19(4)(b)(4)[3] "the incident handling policy is followed if classified information is found;" AC-19(4)(c) AC-19(4)(c)[1] "defines security policies to restrict the connection of classified mobile devices to classified information systems; and" AC-19(4)(c)[2] "restricts the connection of classified mobile devices to classified information systems in accordance with organization-defined security policies." ACCESS CONTROL AC-19(5) FULL DEVICE / CONTAINER-BASED ENCRYPTION "Determine if the organization:" Access control policy;procedures addressing access control for mobile devices;information system design documentation;information system configuration settings and associated documentation;encryption mechanism s and associated configuration documentation;information system audit records;other relevant documents or records Encryption mechanisms protecting confidentiality and integrity of information on mobile devices Organizational personnel with access control responsibilities for mobile devices;system/network administrators;organizational personnel with information security responsibilities AC-19(5)[1] "defines mobile devices for which full-device encryption or container encryption is required to protect the confidentiality and integrity of information on such devices; and" AC-19(5)[2] "employs full-device encryption or container encryption to protect the confidentiality and integrity of information on organization-defined mobile devices." ACCESS CONTROL AC-20 USE OF EXTERNAL INFORMATION SYSTEMS "Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: " Access control policy;procedures addressing the use of external information systems;external information systems terms and conditions;list of types of applications accessible from external information systems;maximum security categorization for information processed, stored, or transmitted on external information systems;information system configuration settings and associated documentation;other relevant documents or records Automated mechanisms implementing terms and conditions on use of external information systems Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems;system/network administrators;organizational personnel with information security responsibilities AC-20(a) "access the information system from the external information systems; and" AC-20(b) "process, store, or transmit organization-controlled information using external information systems." ACCESS CONTROL AC-20(1) LIMITS ON AUTHORIZED USE "Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: " Access control policy;procedures addressing the use of external information systems;security plan;information system connection or processing agreements;account management documents;other relevant documents or records Automated mechanisms implementing limits on use of external information systems System/network administrators;organizational personnel with information security responsibilities AC-20(1)(a) "verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or" AC-20(1)(b) "retains approved information system connection or processing agreements with the organizational entity hosting the external information system." ACCESS CONTROL AC-20(2) PORTABLE STORAGE DEVICES "Determine if the organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems. " Access control policy;procedures addressing the use of external information systems;security plan;information system configuration settings and associated documentation;information system connection or processing agreements;account management documents;other relevant documents or records Automated mechanisms implementing restrictions on use of portable storage devices Organizational personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external information systems;system/network administrators;organizational personnel with information security responsibilities ACCESS CONTROL AC-20(3) NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES "Determine if the organization restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information." Access control policy;procedures addressing the use of external information systems;security plan;information system design documentation;information system configuration settings and associated documentation;information system connection or processing agreements;account management documents;information system audit records, other relevant documents or records Automated mechanisms implementing restrictions on the use of non-organizationally owned systems/components/devices Organizational personnel with responsibilities for restricting or prohibiting use of non-organizationally owned information systems, system components, or devices;system/network administrators;organizational personnel with information security responsibilities ACCESS CONTROL AC-20(4) NETWORK ACCESSIBLE STORAGE DEVICES "Determine if the organization:" Access control policy;procedures addressing use of network accessible storage devices in external information systems;security plan, information system design documentation;information system configuration settings and associated documentation;information system connection or processing agreements;list of network accessible storage devices prohibited from use in external information systems;information system audit records;other relevant documents or records Automated mechanisms prohibiting the use of network accessible storage devices in external information systems Organizational personnel with responsibilities for prohibiting use of network accessible storage devices in external information systems;system/network administrators;organizational personnel with information security responsibilities AC-20(4)[1] "defines network accessible storage devices to be prohibited from use in external information systems; and" AC-20(4)[2] "prohibits the use of organization-defined network accessible storage devices in external information systems." ACCESS CONTROL AC-21 INFORMATION SHARING "Determine if the organization: " Access control policy;procedures addressing user-based collaboration and information sharing (including restrictions);information system design documentation;information system configuration settings and associated documentation;list of users authorized to make information sharing/collaboration decisions;list of information sharing circumstances requiring user discretion;other relevant documents or records Automated mechanisms or manual process implementing access authorizations supporting information sharing/user collaboration decisions Organizational personnel responsible for making information sharing/collaboration decisions;system/network administrators;organizational personnel with information security responsibilities AC-21(a) AC-21(a)[1] "defines information sharing circumstances where user discretion is required;" AC-21(a)[2] "facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances;" AC-21(b) AC-21(b)[1] "defines automated mechanisms or manual processes to be employed to assist users in making information sharing/collaboration decisions; and" AC-21(b)[2] "employs organization-defined automated mechanisms or manual processes to assist users in making information sharing/collaboration decisions." ACCESS CONTROL AC-21(1) AUTOMATED DECISION SUPPORT "Determine if the information system enforces information-sharing decisions by authorized users based on: " Access control policy;procedures addressing user-based collaboration and information sharing (including restrictions);information system design documentation;information system configuration settings and associated documentation;system-generated list of users authorized to make information sharing/collaboration decisions;system-generated list of sharing partners and access authorizations;system-generated list of access restrictions regarding information to be shared;other relevant documents or records Automated mechanisms implementing access authorizations supporting information sharing/user collaboration decisions System/network administrators;organizational personnel with information security responsibilities;system developers AC-21(1)[1] "access authorizations of sharing partners; and" AC-21(1)[2] "access restrictions on information to be shared." ACCESS CONTROL AC-21(2) INFORMATION SEARCH AND RETRIEVAL "Determine if: " Access control policy;procedures addressing user-based collaboration and information sharing (including restrictions);information system design documentation;information system configuration settings and associated documentation;system-generated list of access restrictions regarding information to be shared;information search and retrieval records;information system audit records;other relevant documents or records Information system search and retrieval services enforcing information sharing restrictions Organizational personnel with access enforcement responsibilities for information system search and retrieval services;system/network administrators;organizational personnel with information security responsibilities;system developers AC-21(2)[1] "the organization defines information sharing restrictions to be enforced through information search and retrieval services; and" AC-21(2)[2] "the information system implements information search and retrieval services that enforce organization-defined information sharing restrictions." ACCESS CONTROL AC-22 PUBLICLY ACCESSIBLE CONTENT "Determine if the organization: " Access control policy;procedures addressing publicly accessible content;list of users authorized to post publicly accessible content on organizational information systems;training materials and/or records;records of publicly accessible information reviews;records of response to nonpublic information on public websites;system audit logs;security awareness training records;other relevant documents or records Automated mechanisms implementing management of publicly accessible content Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems;organizational personnel with information security responsibilities AC-22(a) "designates individuals authorized to post information onto a publicly accessible information system;" AC-22(b) "trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;" AC-22(c) "reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;" AC-22(d) AC-22(d)[1] "defines the frequency to review the content on the publicly accessible information system for nonpublic information;" AC-22(d)[2] "reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and" AC-22(d)[3] "removes nonpublic information from the publicly accessible information system, if discovered." ACCESS CONTROL AC-23 DATA MINING PROTECTION " Determine if the organization:" Access control policy;procedures addressing data mining techniques;procedures addressing protection of data storage objects against data mining;information system design documentation;information system configuration settings and associated documentation;information system audit logs;information system audit records;other relevant documents or records Automated mechanisms implementing data mining prevention and detection Organizational personnel with responsibilities for implementing data mining detection and prevention techniques for data storage objects;organizational personnel with information security responsibilities;system developers AC-23[1] "defines data mining prevention and detection techniques to be employed for organization-defined storage objects to adequately detect and protect against data mining;" AC-23[2] "defines data storage objects to be protected from data mining; and" AC-23[3] "employs organization-defined data mining prevention and detection techniques for organization-defined data storage objects to adequately detect and protect against data mining." ACCESS CONTROL AC-24 ACCESS CONTROL DECISIONS "Determine if the organization: " Access control policy;procedures addressing access control decisions;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms applying established access control decisions and procedures Organizational personnel with responsibilities for establishing procedures regarding access control decisions to the information system;organizational personnel with information security responsibilities AC-24[1] "defines access control decisions to be applied to each access request prior to access control enforcement; and" AC-24[2] "establishes procedures to ensure organization-defined access control decisions are applied to each access request prior to access control enforcement." ACCESS CONTROL AC-24(1) TRANSMIT ACCESS AUTHORIZATION INFORMATION "Determine if: " Access control policy;procedures addressing access enforcement;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing access enforcement functions Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-24(1)[1] "the organization defines access authorization information that the information system transmits to organization-defined information systems that enforce access control decisions;" AC-24(1)[2] "the organization defines security safeguards to be used when the information system transmits organization-defined authorization information to organization-defined information systems that enforce access control decisions;" AC-24(1)[3] "the organization defines the information systems that enforce access control decisions; and" AC-24(1)[4] "the information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems that enforce access control decisions." ACCESS CONTROL AC-24(2) NO USER OR PROCESS IDENTITY "Determine if: " Access control policy;procedures addressing access enforcement;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing access enforcement functions Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-24(2)[1] "the organization defines security attributes that support access control decisions that do not include the identity of the user or processes acting on behalf of the user; and" AC-24(2)[2] "the information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user." ACCESS CONTROL AC-25 REFERENCE MONITOR " Determine if: " Access control policy;procedures addressing access enforcement;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing access enforcement functions Organizational personnel with access enforcement responsibilities;system/network administrators;organizational personnel with information security responsibilities;system developers AC-25[1] "the organization defines access control policies for which the information system implements a reference monitor to enforce such policies; and" AC-25[2] "the information system implements a reference monitor for organization-defined access control policies that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured." AWARENESS AND TRAINING AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES "Determine if the organization:" Security awareness and training policy and procedures;other relevant documents or records Organizational personnel with security awareness and training responsibilities;organizational personnel with information security responsibilities AT-1(a)(1) AT-1(a)(1)[1] "develops and documents an security awareness and training policy that addresses:" AT-1(a)(1)[1][a] "purpose;" AT-1(a)(1)[1][b] "scope;" AT-1(a)(1)[1][c] "roles;" AT-1(a)(1)[1][d] "responsibilities;" AT-1(a)(1)[1][e] "management commitment;" AT-1(a)(1)[1][f] "coordination among organizational entities;" AT-1(a)(1)[1][g] "compliance;" AT-1(a)(1)[2] "defines personnel or roles to whom the security awareness and training policy are to be disseminated;" AT-1(a)(1)[3] "disseminates the security awareness and training policy to organization-defined personnel or roles;" AT-1(a)(2) AT-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;" AT-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" AT-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" AT-1(b)(1) AT-1(b)(1)[1] "defines the frequency to review and update the current security awareness and training policy;" AT-1(b)(1)[2] "reviews and updates the current security awareness and training policy with the organization-defined frequency;" AT-1(b)(2) AT-1(b)(2)[1] "defines the frequency to review and update the current security awareness and training procedures; and" AT-1(b)(2)[2] "reviews and updates the current security awareness and training procedures with the organization-defined frequency." AWARENESS AND TRAINING AT-2 SECURITY AWARENESS TRAINING "Determine if the organization:" Security awareness and training policy;procedures addressing security awareness training implementation;appropriate codes of federal regulations;security awareness training curriculum;security awareness training materials;security plan;training records;other relevant documents or records Automated mechanisms managing security awareness training Organizational personnel with responsibilities for security awareness training;organizational personnel with information security responsibilities;organizational personnel comprising the general information system user community AT-2(a) "provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;" AT-2(b) "provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and" AT-2(c) AT-2(c)[1] "defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and" AT-2(c)[2] "provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency." AWARENESS AND TRAINING AT-2(1) PRACTICAL EXERCISE "Determine if the organization includes practical exercises in security awareness training that simulate actual cyber attacks. " Security awareness and training policy;procedures addressing security awareness training implementation;security awareness training curriculum;security awareness training materials;security plan;other relevant documents or records Automated mechanisms implementing cyber attack simulations in practical exercises Organizational personnel that participate in security awareness training;organizational personnel with responsibilities for security awareness training;organizational personnel with information security responsibilities AWARENESS AND TRAINING AT-2(2) INSIDER THREAT "Determine if the organization includes security awareness training on recognizing and reporting potential indicators of insider threat. " Security awareness and training policy;procedures addressing security awareness training implementation;security awareness training curriculum;security awareness training materials;security plan;other relevant documents or records Organizational personnel that participate in security awareness training;organizational personnel with responsibilities for basic security awareness training;organizational personnel with information security responsibilities AWARENESS AND TRAINING AT-3 ROLE-BASED SECURITY TRAINING "Determine if the organization:" Security awareness and training policy;procedures addressing security training implementation;codes of federal regulations;security training curriculum;security training materials;security plan;training records;other relevant documents or records Automated mechanisms managing role-based security training Organizational personnel with responsibilities for role-based security training;organizational personnel with assigned information system security roles and responsibilities AT-3(a) "provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;" AT-3(b) "provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and" AT-3(c) AT-3(c)[1] "defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and" AT-3(c)[2] "provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency." AWARENESS AND TRAINING AT-3(1) ENVIRONMENTAL CONTROLS "Determine if the organization:" Security awareness and training policy;procedures addressing security training implementation;security training curriculum;security training materials;security plan;training records;other relevant documents or records Organizational personnel with responsibilities for role-based security training;organizational personnel with responsibilities for employing and operating environmental controls AT-3(1)[1] "defines personnel or roles to be provided with initial and refresher training in the employment and operation of environmental controls;" AT-3(1)[2] "provides organization-defined personnel or roles with initial and refresher training in the employment and operation of environmental controls;" AT-3(1)[3] "defines the frequency to provide refresher training in the employment and operation of environmental controls; and" AT-3(1)[4] "provides refresher training in the employment and operation of environmental controls with the organization-defined frequency." AWARENESS AND TRAINING AT-3(2) PHYSICAL SECURITY CONTROLS "Determine if the organization:" Security awareness and training policy;procedures addressing security training implementation;security training curriculum;security training materials;security plan;training records;other relevant documents or records Organizational personnel with responsibilities for role-based security training;organizational personnel with responsibilities for employing and operating physical security controls AT-3(2)[1] "defines personnel or roles to be provided with initial and refresher training in the employment and operation of physical security controls;" AT-3(2)[2] "provides organization-defined personnel or roles with initial and refresher training in the employment and operation of physical security controls;" AT-3(2)[3] "defines the frequency to provide refresher training in the employment and operation of physical security controls; and" AT-3(2)[4] "provides refresher training in the employment and operation of physical security controls with the organization-defined frequency." AWARENESS AND TRAINING AT-3(3) PRACTICAL EXERCISES "Determine if the organization includes practical exercises in security training that reinforce training objectives. " Security awareness and training policy;procedures addressing security awareness training implementation;security awareness training curriculum;security awareness training materials;security plan;other relevant documents or records Organizational personnel with responsibilities for role-based security training;organizational personnel that participate in security awareness training AWARENESS AND TRAINING AT-3(4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR "Determine if the organization:" Security awareness and training policy;procedures addressing security training implementation;security training curriculum;security training materials;security plan;training records;other relevant documents or records Organizational personnel with responsibilities for role-based security training;organizational personnel that participate in security awareness training AT-3(4)[1] "defines indicators of malicious code; and" AT-3(4)[2] "provides training to its personnel on organization-defined indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems." AWARENESS AND TRAINING AT-4 SECURITY TRAINING RECORDS "Determine if the organization:" Security awareness and training policy;procedures addressing security training records;security awareness and training records;security plan;other relevant documents or records Automated mechanisms supporting management of security training records Organizational personnel with security training record retention responsibilities AT-4(a) AT-4(a)[1] "documents individual information system security training activities including:" AT-4(a)[1][a] "basic security awareness training;" AT-4(a)[1][b] "specific role-based information system security training;" AT-4(a)[2] "monitors individual information system security training activities including:" AT-4(a)[2][a] "basic security awareness training;" AT-4(a)[2][b] "specific role-based information system security training;" AT-4(b) AT-4(b)[1] "defines a time period to retain individual training records; and" AT-4(b)[2] "retains individual training records for the organization-defined time period." AWARENESS AND TRAINING AT-5 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS "[Withdrawn: Incorporated into PM-15]." AUDIT AND ACCOUNTABILITY AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES "Determine if the organization:" Audit and accountability policy and procedures;other relevant documents or records Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities AU-1(a)(1) AU-1(a)(1)[1] "develops and documents an audit and accountability policy that addresses:" AU-1(a)(1)[1][a] "purpose;" AU-1(a)(1)[1][b] "scope;" AU-1(a)(1)[1][c] "roles;" AU-1(a)(1)[1][d] "responsibilities;" AU-1(a)(1)[1][e] "management commitment;" AU-1(a)(1)[1][f] "coordination among organizational entities;" AU-1(a)(1)[1][g] "compliance;" AU-1(a)(1)[2] "defines personnel or roles to whom the audit and accountability policy are to be disseminated;" AU-1(a)(1)[3] "disseminates the audit and accountability policy to organization-defined personnel or roles;" AU-1(a)(2) AU-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;" AU-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" AU-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" AU-1(b)(1) AU-1(b)(1)[1] "defines the frequency to review and update the current audit and accountability policy;" AU-1(b)(1)[2] "reviews and updates the current audit and accountability policy with the organization-defined frequency;" AU-1(b)(2) AU-1(b)(2)[1] "defines the frequency to review and update the current audit and accountability procedures; and" AU-1(b)(2)[2] "reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency." AUDIT AND ACCOUNTABILITY AU-2 AUDIT EVENTS "Determine if the organization:" Audit and accountability policy;procedures addressing auditable events;security plan;information system design documentation;information system configuration settings and associated documentation;information system audit records;information system auditable events;other relevant documents or records Automated mechanisms implementing information system auditing Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators AU-2(a) AU-2(a)[1] "defines the auditable events that the information system must be capable of auditing;" AU-2(a)[2] "determines that the information system is capable of auditing organization-defined auditable events;" AU-2(b) "coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;" AU-2(c) "provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;" AU-2(d) AU-2(d)[1] "defines the subset of auditable events defined in AU-2a that are to be audited within the information system;" AU-2(d)[2] "determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and" AU-2(d)[3] "determines the frequency of (or situation requiring) auditing for each identified event." AUDIT AND ACCOUNTABILITY AU-2(1) COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES "[Withdrawn: Incorporated into AU-12]." AUDIT AND ACCOUNTABILITY AU-2(2) SELECTION OF AUDIT EVENTS BY COMPONENT "[Withdrawn: Incorporated into AU-12]." AUDIT AND ACCOUNTABILITY AU-2(3) REVIEWS AND UPDATES "Determine if the organization:" Audit and accountability policy;procedures addressing auditable events;security plan;list of organization-defined auditable events;auditable events review and update records;information system audit records;information system incident reports;other relevant documents or records Automated mechanisms supporting review and update of auditable events Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities AU-2(3)[1] "defines the frequency to review and update the audited events; and" AU-2(3)[2] "reviews and updates the auditable events with organization-defined frequency." AUDIT AND ACCOUNTABILITY AU-2(4) PRIVILEGED FUNCTIONS "[Withdrawn: Incorporated into AC-6(9)]." AUDIT AND ACCOUNTABILITY AU-3 CONTENT OF AUDIT RECORDS "Determine if the information system generates audit records containing information that establishes: " Audit and accountability policy;procedures addressing content of audit records;information system design documentation;information system configuration settings and associated documentation;list of organization-defined auditable events;information system audit records;information system incident reports;other relevant documents or records Automated mechanisms implementing information system auditing of auditable events Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators AU-3[1] "what type of event occurred;" AU-3[2] "when the event occurred;" AU-3[3] "where the event occurred;" AU-3[4] "the source of the event;" AU-3[5] "the outcome of the event; and" AU-3[6] "the identity of any individuals or subjects associated with the event." AUDIT AND ACCOUNTABILITY AU-3(1) ADDITIONAL AUDIT INFORMATION "Determine if:" Audit and accountability policy;procedures addressing content of audit records;information system design documentation;information system configuration settings and associated documentation;list of organization-defined auditable events;information system audit records;other relevant documents or records Information system audit capability Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-3(1)[1] "the organization defines additional, more detailed information to be contained in audit records that the information system generates; and" AU-3(1)[2] "the information system generates audit records containing the organization-defined additional, more detailed information." AUDIT AND ACCOUNTABILITY AU-3(2) CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT "Determine if:" Audit and accountability policy;procedures addressing content of audit records;information system design documentation;information system configuration settings and associated documentation;list of organization-defined auditable events;information system audit records;other relevant documents or records Information system capability implementing centralized management and configuration of audit record content Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-3(2)[1] "the organization defines information system components that generate audit records whose content is to be centrally managed and configured by the information system; and" AU-3(2)[2] "the information system provides centralized management and configuration of the content to be captured in audit records generated by the organization-defined information system components." AUDIT AND ACCOUNTABILITY AU-4 AUDIT STORAGE CAPACITY "Determine if the organization:" Audit and accountability policy;procedures addressing audit storage capacity;information system design documentation;information system configuration settings and associated documentation;audit record storage requirements;audit record storage capability for information system components;information system audit records;other relevant documents or records Audit record storage capacity and related configuration settings Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-4[1] "defines audit record storage requirements; and" AU-4[2] "allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements." AUDIT AND ACCOUNTABILITY AU-4(1) TRANSFER TO ALTERNATE STORAGE " Determine if:" Audit and accountability policy;procedures addressing audit storage capacity;procedures addressing transfer of information system audit records to secondary or alternate systems;information system design documentation;information system configuration settings and associated documentation;logs of audit record transfers to secondary or alternate systems;information system audit records transferred to secondary or alternate systems;other relevant documents or records Automated mechanisms supporting transfer of audit records onto a different system Organizational personnel with audit storage capacity planning responsibilities;organizational personnel with information security responsibilities;system/network administrators AU-4(1)[1] "the organization defines the frequency to off-load audit records onto a different system or media than the system being audited; and" AU-4(1)[2] "the information system off-loads audit records onto a different system or media than the system being audited with the organization-defined frequency." AUDIT AND ACCOUNTABILITY AU-5 RESPONSE TO AUDIT PROCESSING FAILURES "Determine if:" Audit and accountability policy;procedures addressing response to audit processing failures;information system design documentation;security plan;information system configuration settings and associated documentation;list of personnel to be notified in case of an audit processing failure;information system audit records;other relevant documents or records Automated mechanisms implementing information system response to audit processing failures Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-5(a) AU-5(a)[1] "the organization defines the personnel or roles to be alerted in the event of an audit processing failure;" AU-5(a)[2] "the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;" AU-5(b) AU-5(b)[1] "the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and" AU-5(b)[2] "the information system takes the additional organization-defined actions in the event of an audit processing failure." AUDIT AND ACCOUNTABILITY AU-5(1) AUDIT STORAGE CAPACITY "Determine if:" Audit and accountability policy;procedures addressing response to audit processing failures;information system design documentation;security plan;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing audit storage limit warnings Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-5(1)[1] "the organization defines:" AU-5(1)[1][a] "personnel to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;" AU-5(1)[1][b] "roles to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity; and/or" AU-5(1)[1][c] "locations to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;" AU-5(1)[2] "the organization defines the time period within which the information system is to provide a warning to the organization-defined personnel, roles, and/or locations when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity;" AU-5(1)[3] "the organization defines the percentage of repository maximum audit record storage capacity that, if reached, requires a warning to be provided; and" AU-5(1)[4] "the information system provides a warning to the organization-defined personnel, roles, and/or locations within the organization-defined time period when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity." AUDIT AND ACCOUNTABILITY AU-5(2) REAL-TIME ALERTS "Determine if:" Audit and accountability policy;procedures addressing response to audit processing failures;information system design documentation;security plan;information system configuration settings and associated documentation;records of notifications or real-time alerts when audit processing failures occur;information system audit records;other relevant documents or records Automated mechanisms implementing real-time audit alerts when organization-defined audit failure events occur Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-5(2)[1] "the organization defines audit failure events requiring real-time alerts;" AU-5(2)[2] "the organization defines:" AU-5(2)[2][a] "personnel to be alerted when organization-defined audit failure events requiring real-time alerts occur;" AU-5(2)[2][b] "roles to be alerted when organization-defined audit failure events requiring real-time alerts occur; and/or" AU-5(2)[2][c] "locations to be alerted when organization-defined audit failure events requiring real-time alerts occur;" AU-5(2)[3] "the organization defines the real-time period within which the information system is to provide an alert to the organization-defined personnel, roles, and/or locations when the organization-defined audit failure events requiring real-time alerts occur; and" AU-5(2)[4] "the information system provides an alert within the organization-defined real-time period to the organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur." AUDIT AND ACCOUNTABILITY AU-5(3) CONFIGURABLE TRAFFIC VOLUME THRESHOLDS "Determine if:" Audit and accountability policy;procedures addressing response to audit processing failures;information system design documentation;security plan;information system configuration settings and associated documentation;configuration of network communications traffic volume thresholds;information system audit records;other relevant documents or records Information system capability implementing configurable traffic volume thresholds Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-5(3)[1] "the information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity;" AU-5(3)[2] "the organization selects if network traffic above configurable traffic volume thresholds is to be:" AU-5(3)[2][a] "rejected; or" AU-5(3)[2][b] "delayed; and" AU-5(3)[3] "the information system rejects or delays network communications traffic generated above configurable traffic volume thresholds." AUDIT AND ACCOUNTABILITY AU-5(4) SHUTDOWN ON FAILURE "Determine if:" Audit and accountability policy;procedures addressing response to audit processing failures;information system design documentation;security plan;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Information system capability invoking system shutdown or degraded operational mode in the event of an audit processing failure Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-5(4)[1] "the organization selects one of the following specific actions for the information system to invoke in the event of organization-defined audit failures:" AU-5(4)[1][a] "full system shutdown;" AU-5(4)[1][b] "partial system shutdown; or" AU-5(4)[1][c] "degraded operational mode with limited mission/business functionality available;" AU-5(4)[2] "the organization defines audit failures that, unless an alternate audit capability exists, are to trigger the information system to invoke a specific action; and" AU-5(4)[3] "the information system invokes the selected specific action in the event of organization-defined audit failures, unless an alternate audit capability exists." AUDIT AND ACCOUNTABILITY AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING "Determine if the organization:" Audit and accountability policy;procedures addressing audit review, analysis, and reporting;reports of audit findings;records of actions taken in response to reviews/analyses of audit records;other relevant documents or records Organizational personnel with audit review, analysis, and reporting responsibilities;organizational personnel with information security responsibilities AU-6(a) AU-6(a)[1] "defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;" AU-6(a)[2] "defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;" AU-6(a)[3] "reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;" AU-6(b) AU-6(b)[1] "defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and" AU-6(b)[2] "reports findings to organization-defined personnel or roles." AUDIT AND ACCOUNTABILITY AU-6(1) PROCESS INTEGRATION "Determine if the organization: " Audit and accountability policy;procedures addressing audit review, analysis, and reporting;procedures addressing investigation and response to suspicious activities;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms integrating audit review, analysis, and reporting processes Organizational personnel with audit review, analysis, and reporting responsibilities;organizational personnel with information security responsibilities AU-6(1)[1] "employs automated mechanisms to integrate:" AU-6(1)[1][a] "audit review;" AU-6(1)[1][b] "analysis;" AU-6(1)[1][c] "reporting processes;" AU-6(1)[2] "uses integrated audit review, analysis and reporting processes to support organizational processes for:" AU-6(1)[2][a] "investigation of suspicious activities; and" AU-6(1)[2][b] "response to suspicious activities." AUDIT AND ACCOUNTABILITY AU-6(2) AUTOMATED SECURITY ALERTS "[Withdrawn: Incorporated into SI-4]." AUDIT AND ACCOUNTABILITY AU-6(3) CORRELATE AUDIT REPOSITORIES "Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. " Audit and accountability policy;procedures addressing audit review, analysis, and reporting;information system design documentation;information system configuration settings and associated documentation;information system audit records across different repositories;other relevant documents or records Automated mechanisms supporting analysis and correlation of audit records Organizational personnel with audit review, analysis, and reporting responsibilities;organizational personnel with information security responsibilities AUDIT AND ACCOUNTABILITY AU-6(4) CENTRAL REVIEW AND ANALYSIS "Determine if the information system provides the capability to centrally review and analyze audit records from multiple components within the system." Audit and accountability policy;procedures addressing audit review, analysis, and reporting;information system design documentation;information system configuration settings and associated documentation;security plan;information system audit records;other relevant documents or records Information system capability to centralize review and analysis of audit records Organizational personnel with audit review, analysis, and reporting responsibilities;organizational personnel with information security responsibilities;system developers AUDIT AND ACCOUNTABILITY AU-6(5) INTEGRATION/SCANNING AND MONITORING CAPABILITIES "Determine if the organization: " Audit and accountability policy;procedures addressing audit review, analysis, and reporting;information system design documentation;information system configuration settings and associated documentation;integrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information and associated documentation;other relevant documents or records Automated mechanisms implementing capability to integrate analysis of audit records with analysis of data/information sources Organizational personnel with audit review, analysis, and reporting responsibilities;organizational personnel with information security responsibilities AU-6(5)[1] "defines data/information to be collected from other sources;" AU-6(5)[2] "selects sources of data/information to be analyzed and integrated with the analysis of audit records from one or more of the following:" AU-6(5)[2][a] "vulnerability scanning information;" AU-6(5)[2][b] "performance data;" AU-6(5)[2][c] "information system monitoring information; and/or" AU-6(5)[2][d] "organization-defined data/information collected from other sources; and" AU-6(5)[3] "integrates the analysis of audit records with the analysis of selected data/information to further enhance the ability to identify inappropriate or unusual activity." AUDIT AND ACCOUNTABILITY AU-6(6) CORRELATION WITH PHYSICAL MONITORING "Determine if the organization correlates information from audit records with information obtained from monitoring physical access to enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity." Audit and accountability policy;procedures addressing audit review, analysis, and reporting;procedures addressing physical access monitoring;information system design documentation;information system configuration settings and associated documentation;documentation providing evidence of correlated information obtained from audit records and physical access monitoring records;security plan;other relevant documents or records Automated mechanisms implementing capability to correlate information from audit records with information from monitoring physical access Organizational personnel with audit review, analysis, and reporting responsibilities;organizational personnel with physical access monitoring responsibilities;organizational personnel with information security responsibilities AUDIT AND ACCOUNTABILITY AU-6(7) PERMITTED ACTIONS "Determine if the organization specifies the permitted actions for each one or more of the following associated with the review, analysis and reporting of audit information:" Audit and accountability policy;procedures addressing process, role and/or user permitted actions from audit review, analysis, and reporting;security plan;other relevant documents or records Automated mechanisms supporting permitted actions for review, analysis, and reporting of audit information Organizational personnel with audit review, analysis, and reporting responsibilities;organizational personnel with information security responsibilities AU-6(7)[1] "information system process;" AU-6(7)[2] "role; and/or" AU-6(7)[3] "user." AUDIT AND ACCOUNTABILITY AU-6(8) FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS "Determine if the organization performs a full text analysis of audited privileged commands in:" Audit and accountability policy;procedures addressing audit review, analysis, and reporting;information system design documentation;information system configuration settings and associated documentation;text analysis tools and techniques;text analysis documentation of audited privileged commands;security plan;other relevant documents or records Automated mechanisms implementing capability to perform a full text analysis of audited privilege commands Organizational personnel with audit review, analysis, and reporting responsibilities;organizational personnel with information security responsibilities AU-6(8)[1] "a physically distinct component or subsystem of the information system; or" AU-6(8)[2] "other information system that is dedicated to that analysis." AUDIT AND ACCOUNTABILITY AU-6(9) CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES "Determine if the organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness." Audit and accountability policy;procedures addressing audit review, analysis, and reporting;information system design documentation;information system configuration settings and associated documentation;documentation providing evidence of correlated information obtained from audit records and organization-defined nontechnical sources;list of information types from nontechnical sources for correlation with audit information;other relevant documents or records Automated mechanisms implementing capability to correlate information from non-technical sources Organizational personnel with audit review, analysis, and reporting responsibilities;organizational personnel with information security responsibilities AUDIT AND ACCOUNTABILITY AU-6(10) AUDIT LEVEL ADJUSTMENT "Determine if the organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on:" Audit and accountability policy;procedures addressing audit review, analysis, and reporting;organizational risk assessment;security control assessment;vulnerability assessment;security plan;other relevant documents or records Automated mechanisms supporting review, analysis, and reporting of audit information Organizational personnel with audit review, analysis, and reporting responsibilities;organizational personnel with information security responsibilities AU-6(10)[1] "law enforcement information;" AU-6(10)[2] "intelligence information; and/or" AU-6(10)[3] "other credible sources of information." AUDIT AND ACCOUNTABILITY AU-7 AUDIT REDUCTION AND REPORT GENERATION "Determine if the information system provides an audit reduction and report generation capability that supports:" Audit and accountability policy;procedures addressing audit reduction and report generation;information system design documentation;information system configuration settings and associated documentation;audit reduction, review, analysis, and reporting tools;information system audit records;other relevant documents or records Audit reduction and report generation capability Organizational personnel with audit reduction and report generation responsibilities;organizational personnel with information security responsibilities AU-7(a) AU-7(a)[1] "on-demand audit review;" AU-7(a)[2] "analysis;" AU-7(a)[3] "reporting requirements;" AU-7(a)[4] "after-the-fact investigations of security incidents; and" AU-7(b) "does not alter the original content or time ordering of audit records." AUDIT AND ACCOUNTABILITY AU-7(1) AUTOMATIC PROCESSING "Determine if:" Audit and accountability policy;procedures addressing audit reduction and report generation;information system design documentation;information system configuration settings and associated documentation;audit reduction, review, analysis, and reporting tools;audit record criteria (fields) establishing events of interest;information system audit records;other relevant documents or records Audit reduction and report generation capability Organizational personnel with audit reduction and report generation responsibilities;organizational personnel with information security responsibilities;system developers AU-7(1)[1] "the organization defines audit fields within audit records in order to process audit records for events of interest; and" AU-7(1)[2] "the information system provides the capability to process audit records for events of interest based on the organization-defined audit fields within audit records." AUDIT AND ACCOUNTABILITY AU-7(2) AUTOMATIC SORT AND SEARCH "Determine if:" Audit and accountability policy;procedures addressing audit reduction and report generation;information system design documentation;information system configuration settings and associated documentation;audit reduction, review, analysis, and reporting tools;audit record criteria (fields) establishing events of interest;information system audit records;other relevant documents or records Audit reduction and report generation capability Organizational personnel with audit reduction and report generation responsibilities;organizational personnel with information security responsibilities;system developers AU-7(2)[1] "the organization defines audit fields within audit records in order to sort and search audit records for events of interest based on content of such audit fields; and" AU-7(2)[2] "the information system provides the capability to sort and search audit records for events of interest based on the content of organization-defined audit fields within audit records." AUDIT AND ACCOUNTABILITY AU-8 TIME STAMPS "Determine if:" Audit and accountability policy;procedures addressing time stamp generation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing time stamp generation Organizational personnel with information security responsibilities;system/network administrators;system developers AU-8(a) "the information system uses internal system clocks to generate time stamps for audit records;" AU-8(b) AU-8(b)[1] "the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);" AU-8(b)[2] "the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and" AU-8(b)[3] "the organization records time stamps for audit records that meet the organization-defined granularity of time measurement." AUDIT AND ACCOUNTABILITY AU-8(1) SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE "Determine if: " Audit and accountability policy;procedures addressing time stamp generation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing internal information system clock synchronization Organizational personnel with information security responsibilities;system/network administrators;system developers AU-8(1)(a) AU-8(1)(a)[1] "the organization defines the authoritative time source to which internal information system clocks are to be compared;" AU-8(1)(a)[2] "the organization defines the frequency to compare the internal information system clocks with the organization-defined authoritative time source; and" AU-8(1)(a)[3] "the information system compares the internal information system clocks with the organization-defined authoritative time source with organization-defined frequency; and" AU-8(1)(b) AU-8(1)(b)[1] "the organization defines the time period that, if exceeded by the time difference between the internal system clocks and the authoritative time source, will result in the internal system clocks being synchronized to the authoritative time source; and" AU-8(1)(b)[2] "the information system synchronizes the internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period." AUDIT AND ACCOUNTABILITY AU-8(2) SECONDARY AUTHORITATIVE TIME SOURCE "Determine if the information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source. " Audit and accountability policy;procedures addressing time stamp generation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing internal information system clock authoritative time sources Organizational personnel with information security responsibilities;system/network administrators;system developers AUDIT AND ACCOUNTABILITY AU-9 PROTECTION OF AUDIT INFORMATION "Determine if: " Audit and accountability policy;access control policy and procedures;procedures addressing protection of audit information;information system design documentation;information system configuration settings and associated documentation, information system audit records;audit tools;other relevant documents or records Automated mechanisms implementing audit information protection Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-9[1] "the information system protects audit information from unauthorized:" AU-9[1][a] "access;" AU-9[1][b] "modification;" AU-9[1][c] "deletion;" AU-9[2] "the information system protects audit tools from unauthorized:" AU-9[2][a] "access;" AU-9[2][b] "modification; and" AU-9[2][c] "deletion." AUDIT AND ACCOUNTABILITY AU-9(1) HARDWARE WRITE-ONCE MEDIA "Determine if the information system writes audit trails to hardware-enforced, write-once media." Audit and accountability policy;access control policy and procedures;procedures addressing protection of audit information;information system design documentation;information system hardware settings;information system configuration settings and associated documentation;information system storage media;information system audit records;other relevant documents or records Information system media storing audit trails Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AUDIT AND ACCOUNTABILITY AU-9(2) AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS "Determine if:" Audit and accountability policy;procedures addressing protection of audit information;information system design documentation;information system configuration settings and associated documentation, system or media storing backups of information system audit records;information system audit records;other relevant documents or records Automated mechanisms implementing the backing up of audit records Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-9(2)[1] "the organization defines the frequency to back up audit records onto a physically different system or system component than the system or component being audited; and" AU-9(2)[2] "the information system backs up audit records with the organization-defined frequency, onto a physically different system or system component than the system or component being audited." AUDIT AND ACCOUNTABILITY AU-9(3) CRYPTOGRAPHIC PROTECTION "Determine if the information system:" Audit and accountability policy;access control policy and procedures;procedures addressing protection of audit information;information system design documentation;information system hardware settings;information system configuration settings and associated documentation, information system audit records;other relevant documents or records Cryptographic mechanisms protecting integrity of audit information and tools Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-9(3)[1] "uses cryptographic mechanisms to protect the integrity of audit information; and" AU-9(3)[2] "uses cryptographic mechanisms to protect the integrity of audit tools." AUDIT AND ACCOUNTABILITY AU-9(4) ACCESS BY SUBSET OF PRIVILEGED USERS "Determine if the organization:" Audit and accountability policy;access control policy and procedures;procedures addressing protection of audit information;information system design documentation;information system configuration settings and associated documentation, system-generated list of privileged users with access to management of audit functionality;access authorizations;access control list;information system audit records;other relevant documents or records Automated mechanisms managing access to audit functionality Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators AU-9(4)[1] "defines a subset of privileged users to be authorized access to management of audit functionality; and" AU-9(4)[2] "authorizes access to management of audit functionality to only the organization-defined subset of privileged users." AUDIT AND ACCOUNTABILITY AU-9(5) DUAL AUTHORIZATION "Determine if the organization: " Audit and accountability policy;access control policy and procedures;procedures addressing protection of audit information;information system design documentation;information system configuration settings and associated documentation, access authorizations;information system audit records;other relevant documents or records Automated mechanisms implementing enforcement of dual authorization Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators AU-9(5)[1] "defines audit information for which dual authorization is to be enforced;" AU-9(5)[2] "defines one or more of the following types of operations on audit information for which dual authorization is to be enforced:" AU-9(5)[2][a] "movement; and/or" AU-9(5)[2][b] "deletion; and" AU-9(5)[3] "enforces dual authorization for the movement and/or deletion of organization-defined audit information." AUDIT AND ACCOUNTABILITY AU-9(6) READ ONLY ACCESS "Determine if the organization: " Audit and accountability policy;access control policy and procedures;procedures addressing protection of audit information;information system design documentation;information system configuration settings and associated documentation, system-generated list of privileged users with read-only access to audit information;access authorizations;access control list;information system audit records;other relevant documents or records Automated mechanisms managing access to audit information Organizational personnel with audit and accountability responsibilities;organizational personnel with information security responsibilities;system/network administrators AU-9(6)[1] "defines the subset of privileged users to be authorized read-only access to audit information; and" AU-9(6)[2] "authorizes read-only access to audit information to the organization-defined subset of privileged users." AUDIT AND ACCOUNTABILITY AU-10 NON-REPUDIATION "Determine if: " Audit and accountability policy;procedures addressing non-repudiation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing non-repudiation capability Organizational personnel with information security responsibilities;system/network administrators;system developers AU-10[1] "the organization defines actions to be covered by non-repudiation; and" AU-10[2] "the information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation." AUDIT AND ACCOUNTABILITY AU-10(1) ASSOCIATION OF IDENTITIES "Determine if: " Audit and accountability policy;procedures addressing non-repudiation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing non-repudiation capability Organizational personnel with information security responsibilities;system/network administrators;system developers AU-10(1)(a) AU-10(1)(a)[1] "the organization defines the strength of binding to be employed between the identity of the information producer and the information;" AU-10(1)(a)[2] "the information system binds the identity of the information producer with the information to the organization-defined strength of binding; and" AU-10(1)(b) "the information system provides the means for authorized individuals to determine the identity of the producer of the information." AUDIT AND ACCOUNTABILITY AU-10(2) VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY "Determine if: " Audit and accountability policy;procedures addressing non-repudiation;information system design documentation;information system configuration settings and associated documentation;validation records;information system audit records;other relevant documents or records Automated mechanisms implementing non-repudiation capability Organizational personnel with information security responsibilities;system/network administrators;system developers AU-10(2)(a) AU-10(2)(a)[1] "the organization defines the frequency to validate the binding of the information producer identity to the information;" AU-10(2)(a)[2] "the information system validates the binding of the information producer identity to the information at the organization-defined frequency; and" AU-10(2)(b) AU-10(2)(b)[1] "the organization defines actions to be performed in the event of a validation error; and" AU-10(2)(b)[2] "the information system performs organization-defined actions in the event of a validation error." AUDIT AND ACCOUNTABILITY AU-10(3) CHAIN OF CUSTODY "Determine if the information system: " Audit and accountability policy;procedures addressing non-repudiation;information system design documentation;information system configuration settings and associated documentation;records of information reviews and releases;information system audit records;other relevant documents or records Automated mechanisms implementing non-repudiation capability Organizational personnel with information security responsibilities;system/network administrators;system developers AU-10(3)[1] "maintains reviewer/releaser identity within the established chain of custody for all information reviewed;" AU-10(3)[2] "maintains reviewer/releaser identity within the established chain of custody for all information released;" AU-10(3)[3] "maintains reviewer/releaser credentials within the established chain of custody for all information reviewed; and" AU-10(3)[4] "maintains reviewer/releaser credentials within the established chain of custody for all information released." AUDIT AND ACCOUNTABILITY AU-10(4) VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY "Determine if: " Audit and accountability policy;procedures addressing non-repudiation;information system design documentation;information system configuration settings and associated documentation;validation records;information system audit records;other relevant documents or records Automated mechanisms implementing non-repudiation capability Organizational personnel with information security responsibilities;system/network administrators;system developers AU-10(4)(a) AU-10(4)(a)[1] "the organization defines security domains for which the binding of the information reviewer identity to the information is to be validated at the transfer or release points prior to release/transfer between such domains;" AU-10(4)(a)[2] "the information system validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between organization-defined security domains;" AU-10(4)(b) AU-10(4)(b)[1] "the organization defines actions to be performed in the event of a validation error; and" AU-10(4)(b)[2] "the information system performs organization-defined actions in the event of a validation error." AUDIT AND ACCOUNTABILITY AU-10(5) DIGITAL SIGNATURES "[Withdrawn: Incorporated into SI-7]." AUDIT AND ACCOUNTABILITY AU-11 AUDIT RECORD RETENTION "Determine if the organization:" Audit and accountability policy;audit record retention policy and procedures;security plan;organization-defined retention period for audit records;audit record archives;audit logs;audit records;other relevant documents or records Organizational personnel with audit record retention responsibilities;organizational personnel with information security responsibilities;system/network administrators AU-11[1] "defines a time period to retain audit records that is consistent with records retention policy;" AU-11[2] "retains audit records for the organization-defined time period consistent with records retention policy to:" AU-11[2][a] "provide support for after-the-fact investigations of security incidents; and" AU-11[2][b] "meet regulatory and organizational information retention requirements." AUDIT AND ACCOUNTABILITY AU-11(1) LONG-TERM RETRIEVAL CAPABILITY "Determine if the organization: " Audit and accountability policy;audit record retention policy and procedures;information system design documentation;information system configuration settings and associated documentation;audit record archives;audit logs;audit records;other relevant documents or records Automated mechanisms implementing audit record retention capability Organizational personnel with audit record retention responsibilities;organizational personnel with information security responsibilities;system/network administrators AU-11(1)[1] "defines measures to be employed to ensure that long-term audit records generated by the information system can be retrieved; and" AU-11(1)[2] "employs organization-defined measures to ensure that long-term audit records generated by the information system can be retrieved." AUDIT AND ACCOUNTABILITY AU-12 AUDIT GENERATION "Determine if:" Audit and accountability policy;procedures addressing audit record generation;security plan;information system design documentation;information system configuration settings and associated documentation;list of auditable events;information system audit records;other relevant documents or records Automated mechanisms implementing audit record generation capability Organizational personnel with audit record generation responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-12(a) AU-12(a)[1] "the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;" AU-12(a)[2] "the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;" AU-12(b) AU-12(b)[1] "the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;" AU-12(b)[2] "the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and" AU-12(c) "the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3." AUDIT AND ACCOUNTABILITY AU-12(1) SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL "Determine if:" Audit and accountability policy;procedures addressing audit record generation;information system design documentation;information system configuration settings and associated documentation;system-wide audit trail (logical or physical);information system audit records;other relevant documents or records Automated mechanisms implementing audit record generation capability Organizational personnel with audit record generation responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-12(1)[1] "the organization defines the information system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail;" AU-12(1)[2] "the organization defines the level of tolerance for the relationship between time stamps of individual records in the audit trail; and" AU-12(1)[3] "the information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within the organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail." AUDIT AND ACCOUNTABILITY AU-12(2) STANDARDIZED FORMATS "Determine if the information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format." Audit and accountability policy;procedures addressing audit record generation;information system design documentation;information system configuration settings and associated documentation;system-wide audit trail (logical or physical);information system audit records;other relevant documents or records Automated mechanisms implementing audit record generation capability Organizational personnel with audit record generation responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AUDIT AND ACCOUNTABILITY AU-12(3) CHANGES BY AUTHORIZED INDIVIDUALS "Determine if: " Audit and accountability policy;procedures addressing audit record generation;information system design documentation;information system configuration settings and associated documentation;system-generated list of individuals or roles authorized to change auditing to be performed;information system audit records;other relevant documents or records Automated mechanisms implementing audit record generation capability Organizational personnel with audit record generation responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers AU-12(3)[1] "the organization defines information system components on which auditing is to be performed;" AU-12(3)[2] "the organization defines individuals or roles authorized to change the auditing to be performed on organization-defined information system components;" AU-12(3)[3] "the organization defines time thresholds within which organization-defined individuals or roles can change the auditing to be performed on organization-defined information system components;" AU-12(3)[4] "the organization defines selectable event criteria that support the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components; and" AU-12(3)[5] "the information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds." AUDIT AND ACCOUNTABILITY AU-13 MONITORING FOR INFORMATION DISCLOSURE "Determine if the organization:" Audit and accountability policy;procedures addressing information disclosure monitoring;information system design documentation;information system configuration settings and associated documentation;monitoring records;information system audit records;other relevant documents or records Automated mechanisms implementing monitoring for information disclosure Organizational personnel with responsibilities for monitoring open source information and/or information sites;organizational personnel with information security responsibilities AU-13[1] "defines open source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information;" AU-13[2] "defines a frequency to monitor organization-defined open source information and/or information sites for evidence of unauthorized disclosure of organizational information; and" AU-13[3] "monitors organization-defined open source information and/or information sites for evidence of unauthorized disclosure of organizational information with the organization-defined frequency." AUDIT AND ACCOUNTABILITY AU-13(1) USE OF AUTOMATED TOOLS "Determine if the organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner. " Audit and accountability policy;procedures addressing information disclosure monitoring;information system design documentation;information system configuration settings and associated documentation;automated monitoring tools;information system audit records;other relevant documents or records Automated mechanisms implementing monitoring for information disclosure Organizational personnel with responsibilities for monitoring information disclosures;organizational personnel with information security responsibilities AUDIT AND ACCOUNTABILITY AU-13(2) REVIEW OF MONITORED SITES "Determine if the organization:" Audit and accountability policy;procedures addressing information disclosure monitoring;information system design documentation;information system configuration settings and associated documentation;reviews for open source information sites being monitored;information system audit records;other relevant documents or records Automated mechanisms implementing monitoring for information disclosure Organizational personnel with responsibilities for monitoring open source information sites;organizational personnel with information security responsibilities AU-13(2)[1] "defines a frequency to review the open source information sites being monitored; and" AU-13(2)[2] "reviews the open source information sites being monitored with the organization-defined frequency." AUDIT AND ACCOUNTABILITY AU-14 SESSION AUDIT "Determine if the information system provides the capability for authorized users to select a user session to: " Audit and accountability policy;procedures addressing user session auditing;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing user session auditing capability Organizational personnel with information security responsibilities;system/network administrators;system developers AU-14[1] "capture/record; and/or" AU-14[2] "view/hear." AUDIT AND ACCOUNTABILITY AU-14(1) SYSTEM START-UP "Determine if the information system initiates session audits at system start-up. " Audit and accountability policy;procedures addressing user session auditing;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing user session auditing capability Organizational personnel with information security responsibilities;system/network administrators;system developers AUDIT AND ACCOUNTABILITY AU-14(2) CAPTURE / RECORD AND LOG CONTENT "Determine if the information system provides the capability for authorized users to: " Audit and accountability policy;procedures addressing user session auditing;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing user session auditing capability Organizational personnel with information security responsibilities;system/network administrators;system developers AU-14(2)[1] "capture/record content related to a user session; and" AU-14(2)[2] "log content related to a user session." AUDIT AND ACCOUNTABILITY AU-14(3) REMOTE VIEWING / LISTENING "Determine if the information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time. " Audit and accountability policy;procedures addressing user session auditing;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing user session auditing capability Organizational personnel with information security responsibilities;system/network administrators;system developers AUDIT AND ACCOUNTABILITY AU-15 ALTERNATE AUDIT CAPABILITY "Determine if the organization:" Audit and accountability policy;procedures addressing alternate audit capability;information system design documentation;information system configuration settings and associated documentation;test records for alternative audit capability;information system audit records;other relevant documents or records Automated mechanisms implementing alternative audit capability Organizational personnel responsible for providing alternate audit capability;organizational personnel with information security responsibilities AU-15[1] "defines alternative audit functionality to be provided in the event of a failure in primary audit capability; and" AU-15[2] "provides an alternative audit capability in the event of a failure in primary audit capability that provides organization-defined alternative audit functionality." AUDIT AND ACCOUNTABILITY AU-16 CROSS-ORGANIZATIONAL AUDITING "Determine if the organization:" Audit and accountability policy;procedures addressing methods for coordinating audit information among external organizations;information system design documentation;information system configuration settings and associated documentation;methods for coordinating audit information among external organizations;information system audit records;other relevant documents or records Automated mechanisms implementing cross-organizational auditing (if applicable) Organizational personnel with responsibilities for coordinating audit information among external organizations;organizational personnel with information security responsibilities AU-16[1] "defines audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries;" AU-16[2] "defines methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries; and" AU-16[3] "employs organization-defined methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries." AUDIT AND ACCOUNTABILITY AU-16(1) IDENTITY PRESERVATION "Determine if the organization requires that the identity of individuals be preserved in cross- organizational audit trails." Audit and accountability policy;procedures addressing cross-organizational audit trails;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing cross-organizational auditing (if applicable) Organizational personnel with cross-organizational audit responsibilities;organizational personnel with information security responsibilities AUDIT AND ACCOUNTABILITY AU-16(2) SHARING OF AUDIT INFORMATION "Determine if the organization:" Audit and accountability policy;procedures addressing cross-organizational sharing of audit information;cross-organizational sharing agreements;data sharing agreements;other relevant documents or records Organizational personnel with responsibilities for sharing cross-organizational audit information;organizational personnel with information security responsibilities AU-16(2)[1] "defines organizations with whom cross-organizational audit information is to be shared;" AU-16(2)[2] "defines cross-organizational sharing agreements to be used when providing cross-organizational audit information to organization-defined organizations; and" AU-16(2)[3] "provides cross-organizational audit information to organization-defined organizations based on organization-defined cross-organizational sharing agreements." SECURITY ASSESSMENT AND AUTHORIZATION CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES "Determine if the organization:" Security assessment and authorization policy and procedures;other relevant documents or records Organizational personnel with security assessment and authorization responsibilities;organizational personnel with information security responsibilities CA-1(a)(1) CA-1(a)(1)[1] "develops and documents a security assessment and authorization policy that addresses:" CA-1(a)(1)[1][a] "purpose;" CA-1(a)(1)[1][b] "scope;" CA-1(a)(1)[1][c] "roles;" CA-1(a)(1)[1][d] "responsibilities;" CA-1(a)(1)[1][e] "management commitment;" CA-1(a)(1)[1][f] "coordination among organizational entities;" CA-1(a)(1)[1][g] "compliance;" CA-1(a)(1)[2] "defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;" CA-1(a)(1)[3] "disseminates the security assessment and authorization policy to organization-defined personnel or roles;" CA-1(a)(2) CA-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;" CA-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" CA-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" CA-1(b)(1) CA-1(b)(1)[1] "defines the frequency to review and update the current security assessment and authorization policy;" CA-1(b)(1)[2] "reviews and updates the current security assessment and authorization policy with the organization-defined frequency;" CA-1(b)(2) CA-1(b)(2)[1] "defines the frequency to review and update the current security assessment and authorization procedures; and" CA-1(b)(2)[2] "reviews and updates the current security assessment and authorization procedures with the organization-defined frequency." SECURITY ASSESSMENT AND AUTHORIZATION CA-2 SECURITY ASSESSMENTS "Determine if the organization:" Security assessment and authorization policy;procedures addressing security assessment planning;procedures addressing security assessments;security assessment plan;other relevant documents or records Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting Organizational personnel with security assessment responsibilities;organizational personnel with information security responsibilities CA-2(a) "develops a security assessment plan that describes the scope of the assessment including:" CA-2(a)(1) "security controls and control enhancements under assessment;" CA-2(a)(2) "assessment procedures to be used to determine security control effectiveness;" CA-2(a)(3) CA-2(a)(3)[1] "assessment environment;" CA-2(a)(3)[2] "assessment team;" CA-2(a)(3)[3] "assessment roles and responsibilities;" CA-2(b) CA-2(b)[1] "defines the frequency to assess the security controls in the information system and its environment of operation;" CA-2(b)[2] "assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;" CA-2(c) "produces a security assessment report that documents the results of the assessment;" CA-2(d) CA-2(d)[1] "defines individuals or roles to whom the results of the security control assessment are to be provided; and" CA-2(d)[2] "provides the results of the security control assessment to organization-defined individuals or roles." SECURITY ASSESSMENT AND AUTHORIZATION CA-2(1) INDEPENDENT ASSESSORS "Determine if the organization:" Security assessment and authorization policy;procedures addressing security assessments;security authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement);other relevant documents or records Organizational personnel with security assessment responsibilities;organizational personnel with information security responsibilities CA-2(1)[1] "defines the level of independence to be employed to conduct security control assessments; and" CA-2(1)[2] "employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments." SECURITY ASSESSMENT AND AUTHORIZATION CA-2(2) SPECIALIZED ASSESSMENTS "Determine if the organization:" Security assessment and authorization policy;procedures addressing security assessments;security plan;security assessment plan;security assessment report;security assessment evidence;other relevant documents or records Automated mechanisms supporting security control assessment Organizational personnel with security assessment responsibilities;organizational personnel with information security responsibilities CA-2(2)[1] "selects one or more of the following forms of specialized security assessment to be included as part of security control assessments:" CA-2(2)[1][a] "in-depth monitoring;" CA-2(2)[1][b] "vulnerability scanning;" CA-2(2)[1][c] "malicious user testing;" CA-2(2)[1][d] "insider threat assessment;" CA-2(2)[1][e] "performance/load testing; and/or" CA-2(2)[1][f] "other forms of organization-defined specialized security assessment;" CA-2(2)[2] "defines the frequency for conducting the selected form(s) of specialized security assessment;" CA-2(2)[3] "defines whether the specialized security assessment will be announced or unannounced; and" CA-2(2)[4] "conducts announced or unannounced organization-defined forms of specialized security assessments with the organization-defined frequency as part of security control assessments." SECURITY ASSESSMENT AND AUTHORIZATION CA-2(3) EXTERNAL ORGANIZATIONS "Determine if the organization:" Security assessment and authorization policy;procedures addressing security assessments;security plan;security assessment requirements;security assessment plan;security assessment report;security assessment evidence;plan of action and milestones;other relevant documents or records Organizational personnel with security assessment responsibilities;organizational personnel with information security responsibilities;personnel performing security assessments for the specified external organization CA-2(3)[1] "defines an information system for which the results of a security assessment performed by an external organization are to be accepted;" CA-2(3)[2] "defines an external organization from which to accept a security assessment performed on an organization-defined information system;" CA-2(3)[3] "defines the requirements to be met by a security assessment performed by organization-defined external organization on organization-defined information system; and" CA-2(3)[4] "accepts the results of an assessment of an organization-defined information system performed by an organization-defined external organization when the assessment meets organization-defined requirements." SECURITY ASSESSMENT AND AUTHORIZATION CA-3 SYSTEM INTERCONNECTIONS "Determine if the organization:" Access control policy;procedures addressing information system connections;system and communications protection policy;information system Interconnection Security Agreements;security plan;information system design documentation;information system configuration settings and associated documentation;other relevant documents or records Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements;organizational personnel with information security responsibilities;personnel managing the system(s) to which the Interconnection Security Agreement applies CA-3(a) "authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;" CA-3(b) "documents, for each interconnection:" CA-3(b)[1] "the interface characteristics;" CA-3(b)[2] "the security requirements;" CA-3(b)[3] "the nature of the information communicated;" CA-3(c) CA-3(c)[1] "defines the frequency to review and update Interconnection Security Agreements; and" CA-3(c)[2] "reviews and updates Interconnection Security Agreements with the organization-defined frequency." SECURITY ASSESSMENT AND AUTHORIZATION CA-3(1) UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS "Determine if the organization:" Access control policy;procedures addressing information system connections;system and communications protection policy;information system interconnection security agreements;security plan;information system design documentation;information system configuration settings and associated documentation;security assessment report;information system audit records;other relevant documents or records Automated mechanisms supporting the management of external network connections Organizational personnel with responsibility for managing direct connections to external networks;network administrators;organizational personnel with information security responsibilities;personnel managing directly connected external networks CA-3(1)[1] "defines an unclassified, national security system whose direct connection to an external network is to be prohibited without the use of approved boundary protection device;" CA-3(1)[2] "defines a boundary protection device to be used to establish the direct connection of an organization-defined unclassified, national security system to an external network; and" CA-3(1)[3] "prohibits the direct connection of an organization-defined unclassified, national security system to an external network without the use of an organization-defined boundary protection device." SECURITY ASSESSMENT AND AUTHORIZATION CA-3(2) CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS "Determine if the organization:" Access control policy;procedures addressing information system connections;system and communications protection policy;information system interconnection security agreements;security plan;information system design documentation;information system configuration settings and associated documentation;security assessment report;information system audit records;other relevant documents or records Automated mechanisms supporting the management of external network connections Organizational personnel with responsibility for managing direct connections to external networks;network administrators;organizational personnel with information security responsibilities;personnel managing directly connected external networks CA-3(2)[1] "defines a boundary protection device to be used to establish the direct connection of a classified, national security system to an external network; and" CA-3(2)[2] "prohibits the direct connection of a classified, national security system to an external network without the use of an organization-defined boundary protection device." SECURITY ASSESSMENT AND AUTHORIZATION CA-3(3) UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS "Determine if the organization:" Access control policy;procedures addressing information system connections;system and communications protection policy;information system interconnection security agreements;security plan;information system design documentation;information system configuration settings and associated documentation;security assessment report;information system audit records;other relevant documents or records Automated mechanisms supporting the management of external network connections Organizational personnel with responsibility for managing direct connections to external networks;network administrators;organizational personnel with information security responsibilities;personnel managing directly connected external networks CA-3(3)[1] "defines an unclassified, non-national security system whose direct connection to an external network is to be prohibited without the use of approved boundary protection device;" CA-3(3)[2] "defines a boundary protection device to be used to establish the direct connection of an organization-defined unclassified, non-national security system to an external network; and" CA-3(3)[3] "prohibits the direct connection of an organization-defined unclassified, non-national security system to an external network without the use of an organization-defined boundary protection device." SECURITY ASSESSMENT AND AUTHORIZATION CA-3(4) CONNECTIONS TO PUBLIC NETWORKS "Determine if the organization:" Access control policy;procedures addressing information system connections;system and communications protection policy;information system interconnection security agreements;security plan;information system design documentation;;information system configuration settings and associated documentation;security assessment report;information system audit records;other relevant documents or records Automated mechanisms supporting the management of public network connections Network administrators;organizational personnel with information security responsibilities CA-3(4)[1] "defines an information system whose direct connection to a public network is to be prohibited; and" CA-3(4)[2] "prohibits the direct connection of an organization-defined information system to a public network." SECURITY ASSESSMENT AND AUTHORIZATION CA-3(5) RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS "Determine if the organization: " Access control policy;procedures addressing information system connections;system and communications protection policy;information system interconnection agreements;security plan;information system design documentation;information system configuration settings and associated documentation;security assessment report;information system audit records;other relevant documents or records Automated mechanisms implementing restrictions on external system connections Organizational personnel with responsibility for managing connections to external information systems;network administrators;organizational personnel with information security responsibilities CA-3(5)[1] "defines information systems to be allowed to connect to external information systems;" CA-3(5)[2] "employs one of the following policies for allowing organization-defined information systems to connect to external information systems:" CA-3(5)[2][a] "allow-all policy;" CA-3(5)[2][b] "deny-by-exception policy;" CA-3(5)[2][c] "deny-all policy; or" CA-3(5)[2][d] "permit-by-exception policy." SECURITY ASSESSMENT AND AUTHORIZATION CA-4 SECURITY CERTIFICATION "[Withdrawn: Incorporated into CA-2]." SECURITY ASSESSMENT AND AUTHORIZATION CA-5 PLAN OF ACTION AND MILESTONES "Determine if the organization:" Security assessment and authorization policy;procedures addressing plan of action and milestones;security plan;security assessment plan;security assessment report;security assessment evidence;plan of action and milestones;other relevant documents or records Automated mechanisms for developing, implementing, and maintaining plan of action and milestones Organizational personnel with plan of action and milestones development and implementation responsibilities;organizational personnel with information security responsibilities CA-5(a) "develops a plan of action and milestones for the information system to:" CA-5(a)[1] "document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;" CA-5(a)[2] "reduce or eliminate known vulnerabilities in the system;" CA-5(b) CA-5(b)[1] "defines the frequency to update the existing plan of action and milestones;" CA-5(b)[2] "updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:" CA-5(b)[2][a] "security controls assessments;" CA-5(b)[2][b] "security impact analyses; and" CA-5(b)[2][c] "continuous monitoring activities." SECURITY ASSESSMENT AND AUTHORIZATION CA-5(1) AUTOMATION SUPPORT FOR ACCURACY / CURRENCY "Determine if the organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is: " Security assessment and authorization policy;procedures addressing plan of action and milestones;information system design documentation, information system configuration settings and associated documentation;information system audit records;plan of action and milestones;other relevant documents or records Automated mechanisms for developing, implementing and maintaining plan of action and milestones Organizational personnel with plan of action and milestones development and implementation responsibilities;organizational personnel with information security responsibilities CA-5(1)[1] "accurate;" CA-5(1)[2] "up to date; and" CA-5(1)[3] "readily available." SECURITY ASSESSMENT AND AUTHORIZATION CA-6 SECURITY AUTHORIZATION "Determine if the organization:" Security assessment and authorization policy;procedures addressing security authorization;security authorization package (including security plan;security assessment report;plan of action and milestones;authorization statement);other relevant documents or records Automated mechanisms that facilitate security authorizations and updates Organizational personnel with security authorization responsibilities;organizational personnel with information security responsibilities CA-6(a) "assigns a senior-level executive or manager as the authorizing official for the information system;" CA-6(b) "ensures that the authorizing official authorizes the information system for processing before commencing operations;" CA-6(c) CA-6(c)[1] "defines the frequency to update the security authorization; and" CA-6(c)[2] "updates the security authorization with the organization-defined frequency." SECURITY ASSESSMENT AND AUTHORIZATION CA-7 CONTINUOUS MONITORING "Determine if the organization: " Security assessment and authorization policy;procedures addressing continuous monitoring of information system security controls;procedures addressing configuration management;security plan;security assessment report;plan of action and milestones;information system monitoring records;configuration management records, security impact analyses;status reports;other relevant documents or records Mechanisms implementing continuous monitoring Organizational personnel with continuous monitoring responsibilities;organizational personnel with information security responsibilities;system/network administrators CA-7(a) CA-7(a)[1] "develops a continuous monitoring strategy that defines metrics to be monitored;" CA-7(a)[2] "develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;" CA-7(a)[3] "implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;" CA-7(b) CA-7(b)[1] "develops a continuous monitoring strategy that defines frequencies for monitoring;" CA-7(b)[2] "defines frequencies for assessments supporting monitoring;" CA-7(b)[3] "develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;" CA-7(b)[4] "implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;" CA-7(c) CA-7(c)[1] "develops a continuous monitoring strategy that includes ongoing security control assessments;" CA-7(c)[2] "implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;" CA-7(d) CA-7(d)[1] "develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;" CA-7(d)[2] "implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;" CA-7(e) CA-7(e)[1] "develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;" CA-7(e)[2] "implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;" CA-7(f) CA-7(f)[1] "develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;" CA-7(f)[2] "implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;" CA-7(g) CA-7(g)[1] "develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;" CA-7(g)[2] "develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;" CA-7(g)[3] "develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and" CA-7(g)[4] "implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy." SECURITY ASSESSMENT AND AUTHORIZATION CA-7(1) INDEPENDENT ASSESSMENT "Determine if the organization:" Security assessment and authorization policy;procedures addressing continuous monitoring of information system security controls;security plan;security assessment report;plan of action and milestones;information system monitoring records;security impact analyses;status reports;other relevant documents or records Organizational personnel with continuous monitoring responsibilities;organizational personnel with information security responsibilities CA-7(1)[1] "defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and" CA-7(1)[2] "employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis." SECURITY ASSESSMENT AND AUTHORIZATION CA-7(2) TYPES OF ASSESSMENTS "[Withdrawn: Incorporated into CA-2]." SECURITY ASSESSMENT AND AUTHORIZATION CA-7(3) TREND ANALYSIS "Determine if the organization employs trend analyses to determine if the following items need to be modified based on empirical data:" Continuous monitoring strategy;Security assessment and authorization policy;procedures addressing continuous monitoring of information system security controls;security plan;security assessment report;plan of action and milestones;information system monitoring records;security impact analyses;status reports;other relevant documents or records Organizational personnel with continuous monitoring responsibilities;organizational personnel with information security responsibilities CA-7(3)[1] "security control implementations;" CA-7(3)[2] "the frequency of continuous monitoring activities; and/or" CA-7(3)[3] "the types of activities used in the continuous monitoring process." SECURITY ASSESSMENT AND AUTHORIZATION CA-8 PENETRATION TESTING "Determine if the organization:" Security assessment and authorization policy;procedures addressing penetration testing;security plan;security assessment plan;penetration test report;security assessment report;security assessment evidence;other relevant documents or records Automated mechanisms supporting penetration testing Organizational personnel with security assessment responsibilities;organizational personnel with information security responsibilities, system/network administrators CA-8[1] "defines information systems or system components on which penetration testing is to be conducted;" CA-8[2] "defines the frequency to conduct penetration testing on organization-defined information systems or system components; and" CA-8[3] "conducts penetration testing on organization-defined information systems or system components with the organization-defined frequency." SECURITY ASSESSMENT AND AUTHORIZATION CA-8(1) INDEPENDENT PENETRATION AGENT OR TEAM "Determine if the organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. " Security assessment and authorization policy;procedures addressing penetration testing;security plan;security assessment plan;penetration test report;security assessment report;security assessment evidence;other relevant documents or records Organizational personnel with security assessment responsibilities;organizational personnel with information security responsibilities SECURITY ASSESSMENT AND AUTHORIZATION CA-8(2) RED TEAM EXERCISES "Determine if the organization:" Security assessment and authorization policy;procedures addressing penetration testing;procedures addressing red team exercises;security plan;security assessment plan;results of red team exercise;penetration test report;security assessment report;rules of engagement;security assessment evidence;other relevant documents or records Automated mechanisms supporting employment of red team exercises Organizational personnel with security assessment responsibilities;organizational personnel with information security responsibilities;system/network administrators CA-8(2)[1] "defines red team exercises to be employed to simulate attempts by adversaries to compromise organizational information systems;" CA-8(2)[2] "defines rules of engagement for employing organization-defined red team exercises; and" CA-8(2)[3] "employs organization-defined red team exercises to simulate attempts by adversaries to compromise organizational information systems in accordance with organization-defined rules of engagement." SECURITY ASSESSMENT AND AUTHORIZATION CA-9 INTERNAL SYSTEM CONNECTIONS "Determine if the organization:" Access control policy;procedures addressing information system connections;system and communications protection policy;security plan;information system design documentation;information system configuration settings and associated documentation;list of components or classes of components authorized as internal system connections;security assessment report;information system audit records;other relevant documents or records Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections;organizational personnel with information security responsibilities CA-9(a) CA-9(a)[1] "defines information system components or classes of components to be authorized as internal connections to the information system;" CA-9(a)[2] "authorizes internal connections of organization-defined information system components or classes of components to the information system;" CA-9(b) "documents, for each internal connection:" CA-9(b)[1] "the interface characteristics;" CA-9(b)[2] "the security requirements; and" CA-9(b)[3] "the nature of the information communicated." SECURITY ASSESSMENT AND AUTHORIZATION CA-9(1) SECURITY COMPLIANCE CHECKS "Determine if the information system performs security compliance checks on constituent system components prior to the establishment of the internal connection. " Access control policy;procedures addressing information system connections;system and communications protection policy;security plan;information system design documentation;information system configuration settings and associated documentation;list of components or classes of components authorized as internal system connections;security assessment report;information system audit records;other relevant documents or records Automated mechanisms supporting compliance checks Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections;organizational personnel with information security responsibilities CONFIGURATION MANAGEMENT CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES "Determine if the organization:" Configuration management policy and procedures;other relevant documents or records Organizational personnel with configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-1(a)(1) CM-1(a)(1)[1] "develops and documents a configuration management policy that addresses:" CM-1(a)(1)[1][a] "purpose;" CM-1(a)(1)[1][b] "scope;" CM-1(a)(1)[1][c] "roles;" CM-1(a)(1)[1][d] "responsibilities;" CM-1(a)(1)[1][e] "management commitment;" CM-1(a)(1)[1][f] "coordination among organizational entities;" CM-1(a)(1)[1][g] "compliance;" CM-1(a)(1)[2] "defines personnel or roles to whom the configuration management policy is to be disseminated;" CM-1(a)(1)[3] "disseminates the configuration management policy to organization-defined personnel or roles;" CM-1(a)(2) CM-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;" CM-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" CM-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" CM-1(b)(1) CM-1(b)(1)[1] "defines the frequency to review and update the current configuration management policy;" CM-1(b)(1)[2] "reviews and updates the current configuration management policy with the organization-defined frequency;" CM-1(b)(2) CM-1(b)(2)[1] "defines the frequency to review and update the current configuration management procedures; and" CM-1(b)(2)[2] "reviews and updates the current configuration management procedures with the organization-defined frequency." CONFIGURATION MANAGEMENT CM-2 BASELINE CONFIGURATION "Determine if the organization:" Configuration management policy;procedures addressing the baseline configuration of the information system;configuration management plan;enterprise architecture documentation;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;change control records;other relevant documents or records Organizational processes for managing baseline configurations;automated mechanisms supporting configuration control of the baseline configuration Organizational personnel with configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-2[1] "develops and documents a current baseline configuration of the information system; and" CM-2[2] "maintains, under configuration control, a current baseline configuration of the information system." CONFIGURATION MANAGEMENT CM-2(1) REVIEWS AND UPDATES "Determine if the organization:" Configuration management policy;configuration management plan;procedures addressing the baseline configuration of the information system;procedures addressing information system component installations and upgrades;information system architecture and configuration documentation;information system configuration settings and associated documentation;records of information system baseline configuration reviews and updates;information system component installations/upgrades and associated records;change control records;other relevant documents or records Organizational processes for managing baseline configurations;automated mechanisms supporting review and update of the baseline configuration Organizational personnel with configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-2(1)(a) CM-2(1)(a)[1] "defines the frequency to review and update the baseline configuration of the information system;" CM-2(1)(a)[2] "reviews and updates the baseline configuration of the information system with the organization-defined frequency;" CM-2(1)(b) CM-2(1)(b)[1] "defines circumstances that require the baseline configuration of the information system to be reviewed and updated;" CM-2(1)(b)[2] "reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances; and" CM-2(1)(c) "reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades." CONFIGURATION MANAGEMENT CM-2(2) AUTOMATION SUPPORT FOR ACCURACY / CURRENCY "Determine if the organization employs automated mechanisms to maintain: " Configuration management policy;procedures addressing the baseline configuration of the information system;configuration management plan;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;configuration change control records;other relevant documents or records Organizational processes for managing baseline configurations;automated mechanisms implementing baseline configuration maintenance Organizational personnel with configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-2(2)[1] "an up-to-date baseline configuration of the information system;" CM-2(2)[2] "a complete baseline configuration of the information system;" CM-2(2)[3] "an accurate baseline configuration of the information system; and" CM-2(2)[4] "a readily available baseline configuration of the information system." CONFIGURATION MANAGEMENT CM-2(3) RETENTION OF PREVIOUS CONFIGURATIONS "Determine if the organization:" Configuration management policy;procedures addressing the baseline configuration of the information system;configuration management plan;information system architecture and configuration documentation;information system configuration settings and associated documentation;copies of previous baseline configuration versions;other relevant documents or records Organizational processes for managing baseline configurations Organizational personnel with configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-2(3)[1] "defines previous versions of baseline configurations of the information system to be retained to support rollback; and" CM-2(3)[2] "retains organization-defined previous versions of baseline configurations of the information system to support rollback." CONFIGURATION MANAGEMENT CM-2(4) UNAUTHORIZED SOFTWARE "[Withdrawn: Incorporated into CM-7]." CONFIGURATION MANAGEMENT CM-2(5) AUTHORIZED SOFTWARE "[Withdrawn: Incorporated into CM-7]." CONFIGURATION MANAGEMENT CM-2(6) DEVELOPMENT AND TEST ENVIRONMENTS "Determine if the organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration." Configuration management policy;procedures addressing the baseline configuration of the information system;configuration management plan;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;other relevant documents or records Organizational processes for managing baseline configurations;automated mechanisms implementing separate baseline configurations for development, test, and operational environments Organizational personnel with configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators CONFIGURATION MANAGEMENT CM-2(7) CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS "Determine if the organization:" Configuration management policy;configuration management plan;procedures addressing the baseline configuration of the information system;procedures addressing information system component installations and upgrades;information system architecture and configuration documentation;information system configuration settings and associated documentation;records of information system baseline configuration reviews and updates;information system component installations/upgrades and associated records;change control records;other relevant documents or records Organizational processes for managing baseline configurations Organizational personnel with configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-2(7)(a) CM-2(7)(a)[1] "defines information systems, system components, or devices to be issued to individuals traveling to locations that the organization deems to be of significant risk;" CM-2(7)(a)[2] "defines configurations to be employed on organization-defined information systems, system components, or devices issued to individuals traveling to such locations;" CM-2(7)(a)[3] "issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk;" CM-2(7)(b) CM-2(7)(b)[1] "defines security safeguards to be applied to the devices when the individuals return; and" CM-2(7)(b)[2] "applies organization-defined safeguards to the devices when the individuals return." CONFIGURATION MANAGEMENT CM-3 CONFIGURATION CHANGE CONTROL "Determine if the organization:" Configuration management policy;procedures addressing information system configuration change control;configuration management plan;information system architecture and configuration documentation;security plan;change control records;information system audit records;change control audit and review reports;agenda /minutes from configuration change control oversight meetings;other relevant documents or records Organizational processes for configuration change control;automated mechanisms that implement configuration change control Organizational personnel with configuration change control responsibilities;organizational personnel with information security responsibilities;system/network administrators;members of change control board or similar CM-3(a) "determines the type of changes to the information system that must be configuration-controlled;" CM-3(b) "reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;" CM-3(c) "documents configuration change decisions associated with the information system;" CM-3(d) "implements approved configuration-controlled changes to the information system;" CM-3(e) CM-3(e)[1] "defines a time period to retain records of configuration-controlled changes to the information system;" CM-3(e)[2] "retains records of configuration-controlled changes to the information system for the organization-defined time period;" CM-3(f) "audits and reviews activities associated with configuration-controlled changes to the information system;" CM-3(g) CM-3(g)[1] "defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;" CM-3(g)[2] "defines the frequency with which the configuration change control element must convene; and/or" CM-3(g)[3] "defines configuration change conditions that prompt the configuration change control element to convene; and" CM-3(g)[4] "coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and/or for any organization-defined configuration change conditions." CONFIGURATION MANAGEMENT CM-3(1) AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES "Determine if the organization:" Configuration management policy;procedures addressing information system configuration change control;configuration management plan;information system design documentation;information system architecture and configuration documentation;automated configuration control mechanisms;information system configuration settings and associated documentation;change control records;information system audit records;change approval requests;change approvals;other relevant documents or records Organizational processes for configuration change control;automated mechanisms implementing configuration change control activities Organizational personnel with configuration change control responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers CM-3(1)(a) "employs automated mechanisms to document proposed changes to the information system;" CM-3(1)(b) CM-3(1)(b)[1] "defines approval authorities to be notified of proposed changes to the information system and request change approval;" CM-3(1)(b)[2] "employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval;" CM-3(1)(c) CM-3(1)(c)[1] "defines the time period within which proposed changes to the information system that have not been approved or disapproved must be highlighted;" CM-3(1)(c)[2] "employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by organization-defined time period;" CM-3(1)(d) "employs automated mechanisms to prohibit changes to the information system until designated approvals are received;" CM-3(1)(e) "employs automated mechanisms to document all changes to the information system;" CM-3(1)(f) CM-3(1)(f)[1] "defines personnel to be notified when approved changes to the information system are completed; and" CM-3(1)(f)[2] "employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed." CONFIGURATION MANAGEMENT CM-3(2) TEST / VALIDATE / DOCUMENT CHANGES "Determine if the organization, before implementing changes on the operational system:" Configuration management policy;configuration management plan;procedures addressing information system configuration change control;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;test records;validation records;change control records;information system audit records;other relevant documents or records Organizational processes for configuration change control;automated mechanisms supporting and/or implementing testing, validating, and documenting information system changes Organizational personnel with configuration change control responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-3(2)[1] "tests changes to the information system;" CM-3(2)[2] "validates changes to the information system; and" CM-3(2)[3] "documents changes to the information system." CONFIGURATION MANAGEMENT CM-3(3) AUTOMATED CHANGE IMPLEMENTATION "Determine if the organization:" Configuration management policy;configuration management plan;procedures addressing information system configuration change control;information system design documentation;information system architecture and configuration documentation;automated configuration control mechanisms;change control records;information system audit records;other relevant documents or records Organizational processes for configuration change control;automated mechanisms implementing changes to current information system baseline Organizational personnel with configuration change control responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers CM-3(3)[1] "employs automated mechanisms to implement changes to the current information system baseline; and" CM-3(3)[2] "deploys the updated baseline across the installed base." CONFIGURATION MANAGEMENT CM-3(4) SECURITY REPRESENTATIVE "Determine if the organization:" Configuration management policy;procedures addressing information system configuration change control;configuration management plan;security plan;other relevant documents or records Organizational processes for configuration change control Organizational personnel with configuration change control responsibilities;organizational personnel with information security responsibilities CM-3(4)[1] "specifies the configuration change control elements (as defined in CM-3g) of which an information security representative is to be a member; and" CM-3(4)[2] "requires an information security representative to be a member of the specified configuration control element." CONFIGURATION MANAGEMENT CM-3(5) AUTOMATED SECURITY RESPONSE "Determine if:" Configuration management policy;procedures addressing information system configuration change control;configuration management plan;security plan;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;alerts/notifications of unauthorized baseline configuration changes;information system audit records;other relevant documents or records Organizational processes for configuration change control;automated mechanisms implementing security responses to changes to the baseline configurations Organizational personnel with configuration change control responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers CM-3(5)[1] "the organization defines security responses to be implemented automatically if baseline configurations are changed in an unauthorized manner; and" CM-3(5)[2] "the information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner." CONFIGURATION MANAGEMENT CM-3(6) CRYPTOGRAPHY MANAGEMENT "Determine if the organization:" Configuration management policy;procedures addressing information system configuration change control;configuration management plan;security plan;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;other relevant documents or records Organizational processes for configuration change control;cryptographic mechanisms implementing organizational security safeguards Organizational personnel with configuration change control responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-3(6)[1] "defines security safeguards provided by cryptographic mechanisms that are to be under configuration management; and" CM-3(6)[2] "ensures that cryptographic mechanisms used to provide organization-defined security safeguards are under configuration management." CONFIGURATION MANAGEMENT CM-4 SECURITY IMPACT ANALYSIS "Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation." Configuration management policy;procedures addressing security impact analysis for changes to the information system;configuration management plan;security impact analysis documentation;analysis tools and associated outputs;change control records;information system audit records;other relevant documents or records Organizational processes for security impact analysis Organizational personnel with responsibility for conducting security impact analysis;organizational personnel with information security responsibilities;system/network administrators CONFIGURATION MANAGEMENT CM-4(1) SEPARATE TEST ENVIRONMENTS "Determine if the organization:" Configuration management policy;procedures addressing security impact analysis for changes to the information system;configuration management plan;security impact analysis documentation;analysis tools and associated outputs information system design documentation;information system architecture and configuration documentation;change control records;information system audit records;documentation evidence of separate test and operational environments;other relevant documents or records Organizational processes for security impact analysis;automated mechanisms supporting and/or implementing security impact analysis of changes Organizational personnel with responsibility for conducting security impact analysis;organizational personnel with information security responsibilities;system/network administrators CM-4(1)[1] "analyzes changes to the information system in a separate test environment before implementation in an operational environment;" CM-4(1)[2] "when analyzing changes to the information system in a separate test environment, looks for security impacts due to:" CM-4(1)[2][a] "flaws;" CM-4(1)[2][b] "weaknesses;" CM-4(1)[2][c] "incompatibility; and" CM-4(1)[2][d] "intentional malice." CONFIGURATION MANAGEMENT CM-4(2) VERIFICATION OF SECURITY FUNCTIONS "Determine if the organization, after the information system is changed, checks the security functions to verify that the functions are:" Configuration management policy;procedures addressing security impact analysis for changes to the information system;configuration management plan;security impact analysis documentation;analysis tools and associated outputs;change control records;information system audit records;other relevant documents or records Organizational processes for security impact analysis;automated mechanisms supporting and/or implementing verification of security functions Organizational personnel with responsibility for conducting security impact analysis;organizational personnel with information security responsibilities;system/network administrators CM-4(2)[1] "implemented correctly;" CM-4(2)[2] "operating as intended; and" CM-4(2)[3] "producing the desired outcome with regard to meeting the security requirements for the system." CONFIGURATION MANAGEMENT CM-5 ACCESS RESTRICTIONS FOR CHANGE "Determine if the organization:" Configuration management policy;procedures addressing access restrictions for changes to the information system;configuration management plan;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;logical access approvals;physical access approvals;access credentials;change control records;information system audit records;other relevant documents or records Organizational processes for managing access restrictions to change;automated mechanisms supporting/implementing/enforcing access restrictions associated with changes to the information system Organizational personnel with logical access control responsibilities;organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-5[1] "defines physical access restrictions associated with changes to the information system;" CM-5[2] "documents physical access restrictions associated with changes to the information system;" CM-5[3] "approves physical access restrictions associated with changes to the information system;" CM-5[4] "enforces physical access restrictions associated with changes to the information system;" CM-5[5] "defines logical access restrictions associated with changes to the information system;" CM-5[6] "documents logical access restrictions associated with changes to the information system;" CM-5[7] "approves logical access restrictions associated with changes to the information system; and" CM-5[8] "enforces logical access restrictions associated with changes to the information system." CONFIGURATION MANAGEMENT CM-5(1) AUTOMATED ACCESS ENFORCEMENT / AUDITING "Determine if the information system:" Configuration management policy;procedures addressing access restrictions for changes to the information system;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;change control records;information system audit records;other relevant documents or records Organizational processes for managing access restrictions to change;automated mechanisms implementing enforcement of access restrictions for changes to the information system;automated mechanisms supporting auditing of enforcement actions Organizational personnel with information security responsibilities;system/network administrators;system developers CM-5(1)[1] "enforces access restrictions for change; and" CM-5(1)[2] "supports auditing of the enforcement actions." CONFIGURATION MANAGEMENT CM-5(2) REVIEW SYSTEM CHANGES "Determine if the organization, in an effort to ascertain whether unauthorized changes have occurred:" Configuration management policy;procedures addressing access restrictions for changes to the information system;configuration management plan;security plan;reviews of information system changes;audit and review reports;change control records;information system audit records;other relevant documents or records Organizational processes for managing access restrictions to change;automated mechanisms supporting/implementing information system reviews to determine whether unauthorized changes have occurred Organizational personnel with information security responsibilities;system/network administrators CM-5(2)[1] "defines the frequency to review information system changes;" CM-5(2)[2] "defines circumstances that warrant review of information system changes;" CM-5(2)[3] "reviews information system changes with the organization-defined frequency; and" CM-5(2)[4] "reviews information system changes with the organization-defined circumstances." CONFIGURATION MANAGEMENT CM-5(3) SIGNED COMPONENTS "Determine if:" Configuration management policy;procedures addressing access restrictions for changes to the information system;configuration management plan;security plan;list of software and firmware components to be prohibited from installation without a recognized and approved certificate;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;change control records;information system audit records;other relevant documents or records Organizational processes for managing access restrictions to change;automated mechanisms preventing installation of software and firmware components not signed with an organization-recognized and approved certificate Organizational personnel with information security responsibilities;system/network administrators;system developers CM-5(3)[1] "the organization defines software and firmware components that the information system will prevent from being installed without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization; and" CM-5(3)[2] "the information system prevents the installation of organization-defined software and firmware components without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization." CONFIGURATION MANAGEMENT CM-5(4) DUAL AUTHORIZATION "Determine if the organization:" Configuration management policy;procedures addressing access restrictions for changes to the information system;configuration management plan;security plan;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;change control records;information system audit records;other relevant documents or records Organizational processes for managing access restrictions to change;automated mechanisms implementing dual authorization enforcement Organizational personnel with dual authorization enforcement responsibilities for implementing information system changes;organizational personnel with information security responsibilities;system/network administrators CM-5(4)[1] "defines information system components and system-level information requiring dual authorization to be enforced when implementing changes; and" CM-5(4)[2] "enforces dual authorization for implementing changes to organization-defined information system components and system-level information." CONFIGURATION MANAGEMENT CM-5(5) LIMIT PRODUCTION / OPERATIONAL PRIVILEGES "Determine if the organization:" Configuration management policy;procedures addressing access restrictions for changes to the information system;configuration management plan;security plan;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;user privilege reviews;user privilege recertifications;change control records;information system audit records;other relevant documents or records Organizational processes for managing access restrictions to change;automated mechanisms supporting and/or implementing access restrictions for change Organizational personnel with information security responsibilities;system/network administrators CM-5(5)(a) "limits privileges to change information system components and system-related information within a production or operational environment;" CM-5(5)(b) CM-5(5)(b)[1] "defines the frequency to review and reevaluate privileges; and" CM-5(5)(b)[2] "reviews and reevaluates privileges with the organization-defined frequency." CONFIGURATION MANAGEMENT CM-5(6) LIMIT LIBRARY PRIVILEGES "Determine if the organization limits privileges to change software resident within software libraries." Configuration management policy;procedures addressing access restrictions for changes to the information system;configuration management plan;information system design documentation;information system architecture and configuration documentation;information system configuration settings and associated documentation;change control records;information system audit records;other relevant documents or records Organizational processes for managing access restrictions to change;automated mechanisms supporting and/or implementing access restrictions for change Organizational personnel with information security responsibilities;system/network administrators CONFIGURATION MANAGEMENT CM-5(7) AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS "[Withdrawn: Incorporated into SI-7]." CONFIGURATION MANAGEMENT CM-6 CONFIGURATION SETTINGS "Determine if the organization:" Configuration management policy;procedures addressing configuration settings for the information system;configuration management plan;security plan;information system design documentation;information system configuration settings and associated documentation;security configuration checklists;evidence supporting approved deviations from established configuration settings;change control records;information system audit records;other relevant documents or records Organizational processes for managing configuration settings;automated mechanisms that implement, monitor, and/or control information system configuration settings;automated mechanisms that identify and/or document deviations from established configuration settings Organizational personnel with security configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-6(a) CM-6(a)[1] "defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;" CM-6(a)[2] "ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;" CM-6(a)[3] "establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;" CM-6(b) "implements the configuration settings established/documented in CM-6(a);;" CM-6(c) CM-6(c)[1] "defines information system components for which any deviations from established configuration settings must be:" CM-6(c)[1][a] "identified;" CM-6(c)[1][b] "documented;" CM-6(c)[1][c] "approved;" CM-6(c)[2] "defines operational requirements to support:" CM-6(c)[2][a] "the identification of any deviations from established configuration settings;" CM-6(c)[2][b] "the documentation of any deviations from established configuration settings;" CM-6(c)[2][c] "the approval of any deviations from established configuration settings;" CM-6(c)[3] "identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;" CM-6(c)[4] "documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;" CM-6(c)[5] "approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;" CM-6(d) CM-6(d)[1] "monitors changes to the configuration settings in accordance with organizational policies and procedures; and" CM-6(d)[2] "controls changes to the configuration settings in accordance with organizational policies and procedures." CONFIGURATION MANAGEMENT CM-6(1) AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION "Determine if the organization:" Configuration management policy;procedures addressing configuration settings for the information system;configuration management plan;information system design documentation;information system configuration settings and associated documentation;security configuration checklists;change control records;information system audit records;other relevant documents or records Organizational processes for managing configuration settings;automated mechanisms implemented to centrally manage, apply, and verify information system configuration settings Organizational personnel with security configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers CM-6(1)[1] "defines information system components for which automated mechanisms are to be employed to:" CM-6(1)[1][a] "centrally manage configuration settings of such components;" CM-6(1)[1][b] "apply configuration settings of such components;" CM-6(1)[1][c] "verify configuration settings of such components;" CM-6(1)[2] "employs automated mechanisms to:" CM-6(1)[2][a] "centrally manage configuration settings for organization-defined information system components;" CM-6(1)[2][b] "apply configuration settings for organization-defined information system components; and" CM-6(1)[2][c] "verify configuration settings for organization-defined information system components." CONFIGURATION MANAGEMENT CM-6(2) RESPOND TO UNAUTHORIZED CHANGES "Determine if the organization:" Configuration management policy;procedures addressing configuration settings for the information system;configuration management plan;security plan;information system design documentation;information system configuration settings and associated documentation;alerts/notifications of unauthorized changes to information system configuration settings;documented responses to unauthorized changes to information system configuration settings;change control records;information system audit records;other relevant documents or records Organizational process for responding to unauthorized changes to information system configuration settings;automated mechanisms supporting and/or implementing security safeguards for response to unauthorized changes Organizational personnel with security configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-6(2)[1] "defines configuration settings that, if modified by unauthorized changes, result in organizational security safeguards being employed to respond to such changes;" CM-6(2)[2] "defines security safeguards to be employed to respond to unauthorized changes to organization-defined configuration settings; and" CM-6(2)[3] "employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings." CONFIGURATION MANAGEMENT CM-6(3) UNAUTHORIZED CHANGE DETECTION "[Withdrawn: Incorporated into SI-7]." CONFIGURATION MANAGEMENT CM-6(4) CONFORMANCE DEMONSTRATION "[Withdrawn: Incorporated into CM-4]." CONFIGURATION MANAGEMENT CM-7 LEAST FUNCTIONALITY "Determine if the organization:" Configuration management policy;configuration management plan;procedures addressing least functionality in the information system;security plan;information system design documentation;information system configuration settings and associated documentation;security configuration checklists;other relevant documents or records Organizational processes prohibiting or restricting functions, ports, protocols, and/or services;automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and/or services Organizational personnel with security configuration management responsibilities;organizational personnel with information security responsibilities;system/network administrators CM-7(a) "configures the information system to provide only essential capabilities;" CM-7(b) CM-7(b)[1] "defines prohibited or restricted:" CM-7(b)[1][a] "functions;" CM-7(b)[1][b] "ports;" CM-7(b)[1][c] "protocols; and/or" CM-7(b)[1][d] "services;" CM-7(b)[2] "prohibits or restricts the use of organization-defined:" CM-7(b)[2][a] "functions;" CM-7(b)[2][b] "ports;" CM-7(b)[2][c] "protocols; and/or" CM-7(b)[2][d] "services." CONFIGURATION MANAGEMENT CM-7(1) PERIODIC REVIEW "Determine if the organization:" Configuration management policy;procedures addressing least functionality in the information system;configuration management plan;security plan;information system design documentation;information system configuration settings and associated documentation;security configuration checklists;documented reviews of functions, ports, protocols, and/or services;change control records;information system audit records;other relevant documents or records Organizational processes for reviewing/disabling nonsecure functions, ports, protocols, and/or services;automated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and/or services Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the information system;organizational personnel with information security responsibilities;system/network administrators CM-7(1)(a) CM-7(1)(a)[1] "defines the frequency to review the information system to identify unnecessary and/or nonsecure:" CM-7(1)(a)[1][a] "functions;" CM-7(1)(a)[1][b] "ports;" CM-7(1)(a)[1][c] "protocols; and/or" CM-7(1)(a)[1][d] "services;" CM-7(1)(a)[2] "reviews the information system with the organization-defined frequency to identify unnecessary and/or nonsecure:" CM-7(1)(a)[2][a] "functions;" CM-7(1)(a)[2][b] "ports;" CM-7(1)(a)[2][c] "protocols; and/or" CM-7(1)(a)[2][d] "services;" CM-7(1)(b) CM-7(1)(b)[1] "defines, within the information system, unnecessary and/or nonsecure:" CM-7(1)(b)[1][a] "functions;" CM-7(1)(b)[1][b] "ports;" CM-7(1)(b)[1][c] "protocols; and/or" CM-7(1)(b)[1][d] "services;" CM-7(1)(b)[2] "disables organization-defined unnecessary and/or nonsecure:" CM-7(1)(b)[2][a] "functions;" CM-7(1)(b)[2][b] "ports;" CM-7(1)(b)[2][c] "protocols; and/or" CM-7(1)(b)[2][d] "services." CONFIGURATION MANAGEMENT CM-7(2) PREVENT PROGRAM EXECUTION "Determine if:" Configuration management policy;procedures addressing least functionality in the information system;configuration management plan;security plan;information system design documentation;specifications for preventing software program execution;information system configuration settings and associated documentation;change control records;information system audit records;other relevant documents or records Organizational processes preventing program execution on the information system;organizational processes for software program usage and restrictions;automated mechanisms preventing program execution on the information system;automated mechanisms supporting and/or implementing software program usage and restrictions Organizational personnel with information security responsibilities;system/network administrators;system developers CM-7(2)[1] "the organization defines policies regarding software program usage and restrictions;" CM-7(2)[2] "the information system prevents program execution in accordance with one or more of the following:" CM-7(2)[2][a] "organization-defined policies regarding program usage and restrictions; and/or" CM-7(2)[2][b] "rules authorizing the terms and conditions of software program usage." CONFIGURATION MANAGEMENT CM-7(3) REGISTRATION COMPLIANCE "Determine if the organization:" Configuration management policy;procedures addressing least functionality in the information system;configuration management plan;security plan;information system configuration settings and associated documentation;audit and compliance reviews;information system audit records;other relevant documents or records Organizational processes ensuring compliance with registration requirements for functions, ports, protocols, and/or services;automated mechanisms implementing compliance with registration requirements for functions, ports, protocols, and/or services Organizational personnel with information security responsibilities;system/network administrators CM-7(3)[1] "defines registration requirements for:" CM-7(3)[1][a] "functions;" CM-7(3)[1][b] "ports;" CM-7(3)[1][c] "protocols; and/or" CM-7(3)[1][d] "services;" CM-7(3)[2] "ensures compliance with organization-defined registration requirements for:" CM-7(3)[2][a] "functions;" CM-7(3)[2][b] "ports;" CM-7(3)[2][c] "protocols; and/or" CM-7(3)[2][d] "services." CONFIGURATION MANAGEMENT CM-7(4) UNAUTHORIZED SOFTWARE (BLACKLISTING) "Determine if the organization:" Configuration management policy;procedures addressing least functionality in the information system;configuration management plan;information system design documentation;information system configuration settings and associated documentation;list of software programs not authorized to execute on the information system;security configuration checklists;review and update records associated with list of unauthorized software programs;change control records;information system audit records;other relevant documents or records Organizational process for identifying, reviewing, and updating programs not authorized to execute on the information system;organizational process for implementing blacklisting;automated mechanisms supporting and/or implementing blacklisting Organizational personnel with responsibilities for identifying software not authorized to execute on the information system;organizational personnel with information security responsibilities;system/network administrators CM-7(4)(a) "Identifies/defines software programs not authorized to execute on the information system;" CM-7(4)(b) "employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system;" CM-7(4)(c) CM-7(4)(c)[1] "defines the frequency to review and update the list of unauthorized software programs on the information system; and" CM-7(4)(c)[2] "reviews and updates the list of unauthorized software programs with the organization-defined frequency." CONFIGURATION MANAGEMENT CM-7(5) AUTHORIZED SOFTWARE (WHITELISTING) "Determine if the organization:" Configuration management policy;procedures addressing least functionality in the information system;configuration management plan;information system design documentation;information system configuration settings and associated documentation;list of software programs authorized to execute on the information system;security configuration checklists;review and update records associated with list of authorized software programs;change control records;information system audit records;other relevant documents or records Organizational process for identifying, reviewing, and updating programs authorized to execute on the information system;organizational process for implementing whitelisting;automated mechanisms implementing whitelisting Organizational personnel with responsibilities for identifying software authorized to execute on the information system;organizational personnel with information security responsibilities;system/network administrators CM-7(5)(a) "Identifies/defines software programs authorized to execute on the information system;" CM-7(5)(b) "employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system;" CM-7(5)(c) CM-7(5)(c)[1] "defines the frequency to review and update the list of authorized software programs on the information system; and" CM-7(5)(c)[2] "reviews and updates the list of authorized software programs with the organization-defined frequency." CONFIGURATION MANAGEMENT CM-8 INFORMATION SYSTEM COMPONENT INVENTORY "Determine if the organization:" Configuration management policy;procedures addressing information system component inventory;configuration management plan;security plan;information system inventory records;inventory reviews and update records;other relevant documents or records Organizational processes for developing and documenting an inventory of information system components;automated mechanisms supporting and/or implementing the information system component inventory Organizational personnel with responsibilities for information system component inventory;organizational personnel with information security responsibilities;system/network administrators CM-8(a) CM-8(a)(1) "develops and documents an inventory of information system components that accurately reflects the current information system;" CM-8(a)(2) "develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;" CM-8(a)(3) "develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;" CM-8(a)(4) CM-8(a)(4)[1] "defines the information deemed necessary to achieve effective information system component accountability;" CM-8(a)(4)[2] "develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;" CM-8(b) CM-8(b)[1] "defines the frequency to review and update the information system component inventory; and" CM-8(b)[2] "reviews and updates the information system component inventory with the organization-defined frequency." CONFIGURATION MANAGEMENT CM-8(1) UPDATES DURING INSTALLATIONS / REMOVALS "Determine if the organization updates the inventory of information system components as an integral part of:" Configuration management policy;procedures addressing information system component inventory;configuration management plan;security plan;information system inventory records;inventory reviews and update records;component installation records;component removal records;other relevant documents or records Organizational processes for updating inventory of information system components;automated mechanisms implementing updating of the information system component inventory Organizational personnel with responsibilities for updating the information system component inventory;organizational personnel with information security responsibilities;system/network administrators CM-8(1)[1] "component installations;" CM-8(1)[2] "component removals; and" CM-8(1)[3] "information system updates." CONFIGURATION MANAGEMENT CM-8(2) AUTOMATED MAINTENANCE "Determine if the organization employs automated mechanisms to maintain an inventory of information system components that is:" Configuration management policy;configuration management plan;procedures addressing information system component inventory;information system design documentation;information system configuration settings and associated documentation;information system inventory records;change control records;information system maintenance records;information system audit records;other relevant documents or records Organizational processes for maintaining the inventory of information system components;automated mechanisms implementing the information system component inventory Organizational personnel with responsibilities for managing the automated mechanisms implementing the information system component inventory;organizational personnel with information security responsibilities;system/network administrators;system developers CM-8(2)[1] "up-to-date;" CM-8(2)[2] "complete;" CM-8(2)[3] "accurate; and" CM-8(2)[4] "readily available." CONFIGURATION MANAGEMENT CM-8(3) AUTOMATED UNAUTHORIZED COMPONENT DETECTION "Determine if the organization:" Configuration management policy;procedures addressing information system component inventory;configuration management plan;security plan;information system design documentation;information system configuration settings and associated documentation;information system inventory records;alerts/notifications of unauthorized components within the information system;information system monitoring records;change control records;information system audit records;other relevant documents or records Organizational processes for detection of unauthorized information system components;automated mechanisms implementing the detection of unauthorized information system components Organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized information system component detection;organizational personnel with information security responsibilities;system/network administrators;system developers CM-8(3)(a) CM-8(3)(a)[1] "defines the frequency to employ automated mechanisms to detect the presence of unauthorized:" CM-8(3)(a)[1][a] "hardware components within the information system;" CM-8(3)(a)[1][b] "software components within the information system;" CM-8(3)(a)[1][c] "firmware components within the information system;" CM-8(3)(a)[2] "employs automated mechanisms with the organization-defined frequency to detect the presence of unauthorized:" CM-8(3)(a)[2][a] "hardware components within the information system;" CM-8(3)(a)[2][b] "software components within the information system;" CM-8(3)(a)[2][c] "firmware components within the information system;" CM-8(3)(b) CM-8(3)(b)[1] "defines personnel or roles to be notified when unauthorized components are detected;" CM-8(3)(b)[2] "takes one or more of the following actions when unauthorized components are detected:" CM-8(3)(b)[2][a] "disables network access by such components;" CM-8(3)(b)[2][b] "isolates the components; and/or" CM-8(3)(b)[2][c] "notifies organization-defined personnel or roles." CONFIGURATION MANAGEMENT CM-8(4) ACCOUNTABILITY INFORMATION "Determine if the organization includes in the information system component inventory for information system components, a means for identifying the individuals responsible and accountable for administering those components by one or more of the following: " Configuration management policy;procedures addressing information system component inventory;configuration management plan;security plan;information system inventory records;other relevant documents or records Organizational processes for maintaining the inventory of information system components;automated mechanisms implementing the information system component inventory Organizational personnel with responsibilities for managing the information system component inventory;organizational personnel with information security responsibilities;system/network administrators CM-8(4)[1] "name;" CM-8(4)[2] "position; and/or" CM-8(4)[3] "role." CONFIGURATION MANAGEMENT CM-8(5) NO DUPLICATE ACCOUNTING OF COMPONENTS "Determine if the organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories. " Configuration management policy;procedures addressing information system component inventory;configuration management plan;security plan;information system inventory records;other relevant documents or records Organizational processes for maintaining the inventory of information system components;automated mechanisms implementing the information system component inventory Organizational personnel with information system inventory responsibilities;organizational personnel with responsibilities for defining information system components within the authorization boundary of the system;organizational personnel with information security responsibilities;system/network administrators CONFIGURATION MANAGEMENT CM-8(6) ASSESSED CONFIGURATIONS / APPROVED DEVIATIONS "Determine if the organization includes in the information system component inventory: " Configuration management policy;procedures addressing information system component inventory;configuration management plan;security plan;information system design documentation;information system configuration settings and associated documentation;information system inventory records;other relevant documents or records Organizational processes for maintaining the inventory of information system components;automated mechanisms implementing the information system component inventory Organizational personnel with inventory management and assessment responsibilities for information system components;organizational personnel with information security responsibilities;system/network administrators CM-8(6)[1] "assessed component configurations; and" CM-8(6)[2] "any approved deviations to current deployed configurations." CONFIGURATION MANAGEMENT CM-8(7) CENTRALIZED REPOSITORY "Determine if the organization provides a centralized repository for the inventory of information system components. " Configuration management policy;procedures addressing information system component inventory;configuration management plan;information system design documentation;information system inventory repository;information system inventory records;other relevant documents or records Automated mechanisms implementing the information system component inventory in a centralized repository Organizational personnel with inventory management responsibilities for information system components;organizational personnel with information security responsibilities CONFIGURATION MANAGEMENT CM-8(8) AUTOMATED LOCATION TRACKING "Determine if the organization employs automated mechanisms to support tracking of information system components by geographic location. " Configuration management policy;procedures addressing information system component inventory;configuration management plan;information system design documentation;information system configuration settings and associated documentation;information system inventory records;information system audit records;other relevant documents or records Automated mechanisms implementing the information system component inventory;automated mechanisms supporting tracking of information system components by geographic location Organizational personnel with inventory management responsibilities for information system components;organizational personnel with information security responsibilities;system/network administrators;system developers CONFIGURATION MANAGEMENT CM-8(9) ASSIGNMENT OF COMPONENTS TO SYSTEMS "Determine if the organization:" Configuration management policy;procedures addressing information system component inventory;configuration management plan;security plan;information system design documentation;acknowledgements of information system component assignments;information system inventory records;other relevant documents or records Organizational processes for assigning components to systems;organizational processes for acknowledging assignment of components to systems;automated mechanisms implementing assignment of acquired components to the information system;automated mechanisms implementing acknowledgment of assignment of acquired components to the information system Organizational personnel with inventory management responsibilities for information system components;information system owner;organizational personnel with information security responsibilities;system/network administrators CM-8(9)(a) CM-8(9)(a)[1] "defines acquired information system components to be assigned to an information system; and" CM-8(9)(a)[2] "assigns organization-defined acquired information system components to an information system; and" CM-8(9)(b) "receives an acknowledgement from the information system owner of the assignment." CONFIGURATION MANAGEMENT CM-9 CONFIGURATION MANAGEMENT PLAN "Determine if the organization develops, documents, and implements a configuration management plan for the information system that:" Configuration management policy;procedures addressing configuration management planning;configuration management plan;security plan;other relevant documents or records Organizational processes for developing and documenting the configuration management plan;organizational processes for identifying and managing configuration items;organizational processes for protecting the configuration management plan;automated mechanisms implementing the configuration management plan;automated mechanisms for managing configuration items;automated mechanisms for protecting the configuration management plan Organizational personnel with responsibilities for developing the configuration management plan;organizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan;organizational personnel with responsibilities for protecting the configuration management plan;organizational personnel with information security responsibilities;system/network administrators CM-9(a) CM-9(a)[1] "addresses roles;" CM-9(a)[2] "addresses responsibilities;" CM-9(a)[3] "addresses configuration management processes and procedures;" CM-9(b) "establishes a process for:" CM-9(b)[1] "identifying configuration items throughout the SDLC;" CM-9(b)[2] "managing the configuration of the configuration items;" CM-9(c) CM-9(c)[1] "defines the configuration items for the information system;" CM-9(c)[2] "places the configuration items under configuration management;" CM-9(d) "protects the configuration management plan from unauthorized:" CM-9(d)[1] "disclosure; and" CM-9(d)[2] "modification." CONFIGURATION MANAGEMENT CM-9(1) ASSIGNMENT OF RESPONSIBILITY "Determine if the organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. " Configuration management policy;procedures addressing responsibilities for configuration management process development;configuration management plan;security plan;other relevant documents or records Organizational personnel with responsibilities for configuration management process development;organizational personnel with information security responsibilities CONFIGURATION MANAGEMENT CM-10 SOFTWARE USAGE RESTRICTIONS "Determine if the organization:" Configuration management policy;procedures addressing software usage restrictions;configuration management plan;security plan;software contract agreements and copyright laws;site license documentation;list of software usage restrictions;software license tracking reports;other relevant documents or records Organizational process for tracking the use of software protected by quantity licenses;organization process for controlling/documenting the use of peer-to-peer file sharing technology;automated mechanisms implementing software license tracking;automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology Organizational personnel with information security responsibilities;system/network administrators;organizational personnel operating, using, and/or maintaining the information system;organizational personnel with software license management responsibilities CM-10(a) "uses software and associated documentation in accordance with contract agreements and copyright laws;" CM-10(b) "tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and" CM-10(c) "controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work." CONFIGURATION MANAGEMENT CM-10(1) OPEN SOURCE SOFTWARE "Determine if the organization:" Configuration management policy;procedures addressing restrictions on use of open source software;configuration management plan;security plan;other relevant documents or records Organizational process for restricting the use of open source software;automated mechanisms implementing restrictions on the use of open source software Organizational personnel with responsibilities for establishing and enforcing restrictions on use of open source software;organizational personnel with information security responsibilities;system/network administrators CM-10(1)[1] "defines restrictions on the use of open source software; and" CM-10(1)[2] "establishes organization-defined restrictions on the use of open source software." CONFIGURATION MANAGEMENT CM-11 USER-INSTALLED SOFTWARE "Determine if the organization:" Configuration management policy;procedures addressing user installed software;configuration management plan;security plan;information system design documentation;information system configuration settings and associated documentation;list of rules governing user installed software;information system monitoring records;information system audit records;other relevant documents or records;continuous monitoring strategy Organizational processes governing user-installed software on the information system;automated mechanisms enforcing rules/methods for governing the installation of software by users;automated mechanisms monitoring policy compliance Organizational personnel with responsibilities for governing user-installed software;organizational personnel operating, using, and/or maintaining the information system;organizational personnel monitoring compliance with user-installed software policy;organizational personnel with information security responsibilities;system/network administrators CM-11(a) CM-11(a)[1] "defines policies to govern the installation of software by users;" CM-11(a)[2] "establishes organization-defined policies governing the installation of software by users;" CM-11(b) CM-11(b)[1] "defines methods to enforce software installation policies;" CM-11(b)[2] "enforces software installation policies through organization-defined methods;" CM-11(c) CM-11(c)[1] "defines frequency to monitor policy compliance; and" CM-11(c)[2] "monitors policy compliance at organization-defined frequency." CONFIGURATION MANAGEMENT CM-11(1) ALERTS FOR UNAUTHORIZED INSTALLATIONS "Determine if:" Configuration management policy;procedures addressing user installed software;configuration management plan;security plan;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes governing user-installed software on the information system;automated mechanisms for alerting personnel/roles when unauthorized installation of software is detected Organizational personnel with responsibilities for governing user-installed software;organizational personnel operating, using, and/or maintaining the information system;organizational personnel with information security responsibilities;system/network administrators;system developers CM-11(1)[1] "the organization defines personnel or roles to be alerted when the unauthorized installation of software is detected; and" CM-11(1)[2] "the information system alerts organization-defined personnel or roles when the unauthorized installation of software is detected." CONFIGURATION MANAGEMENT CM-11(2) PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS "Determine if the information system prohibits user installation of software without explicit privileged status." Configuration management policy;procedures addressing user installed software;configuration management plan;security plan;information system design documentation;information system configuration settings and associated documentation;alerts/notifications of unauthorized software installations;information system audit records;other relevant documents or records Organizational processes governing user-installed software on the information system;automated mechanisms for prohibiting installation of software without privileged status (e.g., access controls) Organizational personnel with responsibilities for governing user-installed software;organizational personnel operating, using, and/or maintaining the information system CONTINGENCY PLANNING CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES "Determine if:" Contingency planning policy and procedures;other relevant documents or records Organizational personnel with contingency planning responsibilities;organizational personnel with information security responsibilities CP-1(a)(1) CP-1(a)(1)[1] "the organization develops and documents a contingency planning policy that addresses:" CP-1(a)(1)[1][a] "purpose;" CP-1(a)(1)[1][b] "scope;" CP-1(a)(1)[1][c] "roles;" CP-1(a)(1)[1][d] "responsibilities;" CP-1(a)(1)[1][e] "management commitment;" CP-1(a)(1)[1][f] "coordination among organizational entities;" CP-1(a)(1)[1][g] "compliance;" CP-1(a)(1)[2] "the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;" CP-1(a)(1)[3] "the organization disseminates the contingency planning policy to organization-defined personnel or roles;" CP-1(a)(2) CP-1(a)(2)[1] "the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;" CP-1(a)(2)[2] "the organization defines personnel or roles to whom the procedures are to be disseminated;" CP-1(a)(2)[3] "the organization disseminates the procedures to organization-defined personnel or roles;" CP-1(b)(1) CP-1(b)(1)[1] "the organization defines the frequency to review and update the current contingency planning policy;" CP-1(b)(1)[2] "the organization reviews and updates the current contingency planning with the organization-defined frequency;" CP-1(b)(2) CP-1(b)(2)[1] "the organization defines the frequency to review and update the current contingency planning procedures; and" CP-1(b)(2)[2] "the organization reviews and updates the current contingency planning procedures with the organization-defined frequency." CONTINGENCY PLANNING CP-2 CONTINGENCY PLAN "Determine if the organization:" Contingency planning policy;procedures addressing contingency operations for the information system;contingency plan;security plan;evidence of contingency plan reviews and updates;other relevant documents or records Organizational processes for contingency plan development, review, update, and protection;automated mechanisms for developing, reviewing, updating and/or protecting the contingency plan Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities CP-2(a) "develops and documents a contingency plan for the information system that:" CP-2(a)(1) "identifies essential missions and business functions and associated contingency requirements;" CP-2(a)(2) CP-2(a)(2)[1] "provides recovery objectives;" CP-2(a)(2)[2] "provides restoration priorities;" CP-2(a)(2)[3] "provides metrics;" CP-2(a)(3) CP-2(a)(3)[1] "addresses contingency roles;" CP-2(a)(3)[2] "addresses contingency responsibilities;" CP-2(a)(3)[3] "addresses assigned individuals with contact information;" CP-2(a)(4) "addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;" CP-2(a)(5) "addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;" CP-2(a)(6) CP-2(a)(6)[1] "defines personnel or roles to review and approve the contingency plan for the information system;" CP-2(a)(6)[2] "is reviewed and approved by organization-defined personnel or roles;" CP-2(b) CP-2(b)[1] "defines key contingency personnel (identified by name and/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;" CP-2(b)[2] "distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;" CP-2(c) "coordinates contingency planning activities with incident handling activities;" CP-2(d) CP-2(d)[1] "defines a frequency to review the contingency plan for the information system;" CP-2(d)[2] "reviews the contingency plan with the organization-defined frequency;" CP-2(e) "updates the contingency plan to address:" CP-2(e)[1] "changes to the organization, information system, or environment of operation;" CP-2(e)[2] "problems encountered during plan implementation, execution, and testing;" CP-2(f) CP-2(f)[1] "defines key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated;" CP-2(f)[2] "communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and" CP-2(g) "protects the contingency plan from unauthorized disclosure and modification." CONTINGENCY PLANNING CP-2(1) COORDINATE WITH RELATED PLANS "Determine if the organization coordinates contingency plan development with organizational elements responsible for related plans." Contingency planning policy;procedures addressing contingency operations for the information system;contingency plan;business contingency plans;disaster recovery plans;continuity of operations plans;crisis communications plans;critical infrastructure plans;cyber incident response plan;insider threat implementation plans;occupant emergency plans;security plan;other relevant documents or records Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with information security responsibilities;personnel with responsibility for related plans CONTINGENCY PLANNING CP-2(2) CAPACITY PLANNING "Determine if the organization conducts capacity planning so that necessary capacity exists during contingency operations for: " Contingency planning policy;procedures addressing contingency operations for the information system;contingency plan;capacity planning documents;other relevant documents or records Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with information security responsibilities CP-2(2)[1] "information processing;" CP-2(2)[2] "telecommunications; and" CP-2(2)[3] "environmental support." CONTINGENCY PLANNING CP-2(3) RESUME ESSENTIAL MISSIONS/BUSINESS FUNCTIONS "Determine if the organization:" Contingency planning policy;procedures addressing contingency operations for the information system;contingency plan;security plan;business impact assessment;other related plans;other relevant documents or records Organizational processes for resumption of missions and business functions Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with information security responsibilities CP-2(3)[1] "defines the time period to plan for the resumption of essential missions and business functions as a result of contingency plan activation; and" CP-2(3)[2] "plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation." CONTINGENCY PLANNING CP-2(4) RESUME ALL MISSIONS / BUSINESS FUNCTIONS "Determine if the organization:" Contingency planning policy;procedures addressing contingency operations for the information system;contingency plan;security plan;business impact assessment;other related plans;other relevant documents or records Organizational processes for resumption of missions and business functions Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with information security responsibilities CP-2(4)[1] "defines the time period to plan for the resumption of all missions and business functions as a result of contingency plan activation; and" CP-2(4)[2] "plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation." CONTINGENCY PLANNING CP-2(5) CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNCTIONS "Determine if the organization:" Contingency planning policy;procedures addressing contingency operations for the information system;contingency plan;business impact assessment;primary processing site agreements;primary storage site agreements;alternate processing site agreements;alternate storage site agreements;contingency plan test documentation;contingency plan test results;other relevant documents or records Organizational processes for continuing missions and business functions Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with information security responsibilities CP-2(5)[1] "plans for the continuance of essential missions and business functions with little or no loss of operational continuity; and" CP-2(5)[2] "sustains that operational continuity until full information system restoration at primary processing and/or storage sites." CONTINGENCY PLANNING CP-2(6) ALTERNATE PROCESSING / STORAGE SITE "Determine if the organization:" Contingency planning policy;procedures addressing contingency operations for the information system;contingency plan;business impact assessment;alternate processing site agreements;alternate storage site agreements;contingency plan testing documentation;contingency plan test results;other relevant documents or records Organizational processes for transfer of essential missions and business functions to alternate processing/storage sites Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with information security responsibilities CP-2(6)[1] "plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity; and" CP-2(6)[2] "sustains that operational continuity through information system restoration to primary processing and/or storage sites." CONTINGENCY PLANNING CP-2(7) COORDINATE WITH EXTERNAL SERVICE PROVIDERS "Determine if the organization coordinates its contingency plan with the contingency plans of external service provides to ensure contingency requirements can be satisfied. " Contingency planning policy;procedures addressing contingency operations for the information system;contingency plan;contingency plans of external;service providers;service level agreements;security plan;contingency plan requirements;other relevant documents or records Organizational personnel with contingency planning and plan implementation responsibilities;external service providers;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-2(8) IDENTIFY CRITICAL ASSETS "Determine if the organization identifies critical information system assets supporting essential missions and business functions." Contingency planning policy;procedures addressing contingency operations for the information system;contingency plan;business impact assessment;security plan;other relevant documents or records Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-3 CONTINGENCY TRAINING "Determine if the organization:" Contingency planning policy;procedures addressing contingency training;contingency plan;contingency training curriculum;contingency training material;security plan;contingency training records;other relevant documents or records Organizational processes for contingency training Organizational personnel with contingency planning, plan implementation, and training responsibilities;organizational personnel with information security responsibilities CP-3(a) CP-3(a)[1] "defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;" CP-3(a)[2] "provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;" CP-3(b) "provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;" CP-3(c) CP-3(c)[1] "defines the frequency for contingency training thereafter; and" CP-3(c)[2] "provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter." CONTINGENCY PLANNING CP-3(1) SIMULATED EVENTS "Determine if the organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations." Contingency planning policy;procedures addressing contingency training;contingency plan;contingency training curriculum;contingency training material;other relevant documents or records Organizational processes for contingency training;automated mechanisms for simulating contingency events Organizational personnel with contingency planning, plan implementation, and training responsibilities;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-3(2) AUTOMATED TRAINING ENVIRONMENTS "Determine if the organization employs automated mechanisms to provide a more thorough and realistic contingency training environment." Contingency planning policy;procedures addressing contingency training;contingency plan;contingency training curriculum;contingency training material;other relevant documents or records Organizational processes for contingency training;automated mechanisms for providing contingency training environments Organizational personnel with contingency planning, plan implementation, and training responsibilities;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-4 CONTINGENCY PLAN TESTING "Determine if the organization: " Contingency planning policy;procedures addressing contingency plan testing;contingency plan;security plan;contingency plan test documentation;contingency plan test results;other relevant documents or records Organizational processes for contingency plan testing;automated mechanisms supporting the contingency plan and/or contingency plan testing Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests;organizational personnel with information security responsibilities CP-4(a) CP-4(a)[1] "defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;" CP-4(a)[2] "defines a frequency to test the contingency plan for the information system;" CP-4(a)[3] "tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;" CP-4(b) "reviews the contingency plan test results; and" CP-4(c) "initiates corrective actions, if needed." CONTINGENCY PLANNING CP-4(1) COORDINATE WITH RELATED PLANS "Determine if the organization coordinates contingency plan testing with organizational elements responsible for related plans. " Contingency planning policy;incident response policy;procedures addressing contingency plan testing;contingency plan testing documentation;contingency plan;business continuity plans;disaster recovery plans;continuity of operations plans;crisis communications plans;critical infrastructure plans;cyber incident response plans;occupant emergency plans;security plan;other relevant documents or records Organizational personnel with contingency plan testing responsibilities;organizational personnel;personnel with responsibilities for related plans;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-4(2) ALTERNATE PROCESSING SITE "Determine if the organization tests the contingency plan at the alternate processing site to:" Contingency planning policy;procedures addressing contingency plan testing;contingency plan;contingency plan test documentation;contingency plan test results;alternate processing site agreements;service-level agreements;other relevant documents or records Organizational processes for contingency plan testing;automated mechanisms supporting the contingency plan and/or contingency plan testing Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with information security responsibilities CP-4(2)(a) "familiarize contingency personnel with the facility and available resources; and" CP-4(2)(b) "evaluate the capabilities of the alternate processing site to support contingency operations." CONTINGENCY PLANNING CP-4(3) AUTOMATED TESTING "Determine if the organization employs automated mechanisms to more thoroughly and effectively test the contingency plan. " Contingency planning policy;procedures addressing contingency plan testing;contingency plan;automated mechanisms supporting contingency plan testing;contingency plan test documentation;contingency plan test results;other relevant documents or records Organizational processes for contingency plan testing;automated mechanisms supporting contingency plan testing Organizational personnel with contingency plan testing responsibilities;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-4(4) FULL RECOVERY / RECONSTITUTION "Determine if the organization: " Contingency planning policy;procedures addressing information system recovery and reconstitution;contingency plan;contingency plan test documentation;contingency plan test results;other relevant documents or records Organizational processes for contingency plan testing;automated mechanisms supporting contingency plan testing;automated mechanisms supporting recovery and reconstitution of the information system Organizational personnel with contingency plan testing responsibilities;organizational personnel with information system recovery and reconstitution responsibilities;organizational personnel with information security responsibilities CP-4(4)[1] "includes a full recovery of the information system to a known state as part of contingency plan testing; and" CP-4(4)[2] "includes a full reconstitution of the information system to a known state as part of contingency plan testing." CONTINGENCY PLANNING CP-5 CONTINGENCY PLAN UPDATE "[Withdrawn: Incorporated into CP-2]." CONTINGENCY PLANNING CP-6 ALTERNATE STORAGE SITE "Determine if the organization: " Contingency planning policy;procedures addressing alternate storage sites;contingency plan;alternate storage site agreements;primary storage site agreements;other relevant documents or records Organizational processes for storing and retrieving information system backup information at the alternate storage site;automated mechanisms supporting and/or implementing storage and retrieval of information system backup information at the alternate storage site Organizational personnel with contingency plan alternate storage site responsibilities;organizational personnel with information system recovery responsibilities;organizational personnel with information security responsibilities CP-6[1] "establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and" CP-6[2] "ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site." CONTINGENCY PLANNING CP-6(1) SEPARATION FROM PRIMARY SITE "Determine if the organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. " Contingency planning policy;procedures addressing alternate storage sites;contingency plan;alternate storage site;alternate storage site agreements;primary storage site agreements;other relevant documents or records Organizational personnel with contingency plan alternate storage site responsibilities;organizational personnel with information system recovery responsibilities;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-6(2) RECOVERY TIME / POINT OBJECTIVES "Determine if the organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time objectives and recovery point objectives (as specified in the information system contingency plan)." Contingency planning policy;procedures addressing alternate storage sites;contingency plan;alternate storage site;alternate storage site agreements;alternate storage site configurations;other relevant documents or records Organizational processes for contingency plan testing;automated mechanisms supporting recovery time/point objectives Organizational personnel with contingency plan testing responsibilities;organizational personnel with responsibilities for testing related plans;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-6(3) ACCESSIBILITY "Determine if the organization: " Contingency planning policy;procedures addressing alternate storage sites;contingency plan;alternate storage site;list of potential accessibility problems to alternate storage site;mitigation actions for accessibility problems to alternate storage site;organizational risk assessments;other relevant documents or records Organizational personnel with contingency plan alternate storage site responsibilities;organizational personnel with information system recovery responsibilities;organizational personnel with information security responsibilities CP-6(3)[1] "identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and" CP-6(3)[2] "outlines explicit mitigation actions for such potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster." CONTINGENCY PLANNING CP-7 ALTERNATE PROCESSING SITE "Determine if the organization: " Contingency planning policy;procedures addressing alternate processing sites;contingency plan;alternate processing site agreements;primary processing site agreements;spare equipment and supplies inventory at alternate processing site;equipment and supply contracts;service-level agreements;other relevant documents or records Organizational processes for recovery at the alternate site;automated mechanisms supporting and/or implementing recovery at the alternate processing site Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements;organizational personnel with information security responsibilities CP-7(a) CP-7(a)[1] "defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations;" CP-7(a)[2] "defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer/resumption of organization-defined information system operations for essential missions/business functions;" CP-7(a)[3] "establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable;" CP-7(b) CP-7(b)[1] "ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site; or" CP-7(b)[2] "ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and" CP-7(c) "ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site." CONTINGENCY PLANNING CP-7(1) SEPARATION FROM PRIMARY SITE "Determine if the organization identifies an alternate processing site that is separated from the primary storage site to reduce susceptibility to the same threats. " Contingency planning policy;procedures addressing alternate processing sites;contingency plan;alternate processing site;alternate processing site agreements;primary processing site agreements;other relevant documents or records Organizational personnel with contingency plan alternate processing site responsibilities;organizational personnel with information system recovery responsibilities;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-7(2) ACCESSIBILITY "Determine if the organization: " Contingency planning policy;procedures addressing alternate processing sites;contingency plan;alternate processing site;alternate processing site agreements;primary processing site agreements;other relevant documents or records Organizational personnel with contingency plan alternate processing site responsibilities;organizational personnel with information system recovery responsibilities;organizational personnel with information security responsibilities CP-7(2)[1] "identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and" CP-7(2)[2] "outlines explicit mitigation actions for such potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster." CONTINGENCY PLANNING CP-7(3) PRIORITY OF SERVICE "Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan)." Contingency planning policy;procedures addressing alternate processing sites;contingency plan;alternate processing site agreements;service-level agreements;other relevant documents or records Organizational personnel with contingency plan alternate processing site responsibilities;organizational personnel with information system recovery responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for acquisitions/contractual agreements CONTINGENCY PLANNING CP-7(4) PREPARATION FOR USE "Determine if the organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions." Contingency planning policy;procedures addressing alternate processing sites;contingency plan;alternate processing site;alternate processing site agreements;alternate processing site configurations;other relevant documents or records Automated mechanisms supporting and/or implementing recovery at the alternate processing site Organizational personnel with contingency plan alternate processing site responsibilities;organizational personnel with information system recovery responsibilities;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-7(5) EQUIVALENT INFORMATION SECURITY SAFEGUARDS "[Withdrawn: Incorporated into CP-7]." CONTINGENCY PLANNING CP-7(6) INABILITY TO RETURN TO PRIMARY SITE "Determine if the organization plans and prepares for circumstances that preclude returning to the primary processing site." Contingency planning policy;procedures addressing alternate processing sites;contingency plan;alternate processing site;alternate processing site agreements;alternate processing site configurations;other relevant documents or records Organizational personnel with information system reconstitution responsibilities;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-8 TELECOMMUNICATIONS SERVICES "Determine if the organization: " Contingency planning policy;procedures addressing alternate telecommunications services;contingency plan;primary and alternate telecommunications service agreements;other relevant documents or records Automated mechanisms supporting telecommunications Organizational personnel with contingency plan telecommunications responsibilities;organizational personnel with information system recovery responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for acquisitions/contractual agreements CP-8[1] "defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations;" CP-8[2] "defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions; and" CP-8[3] "establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites." CONTINGENCY PLANNING CP-8(1) PRIORITY OF SERVICE PROVISIONS "Determine if the organization: " Contingency planning policy;procedures addressing primary and alternate telecommunications services;contingency plan;primary and alternate telecommunications service agreements;Telecommunications Service Priority documentation;other relevant documents or records Automated mechanisms supporting telecommunications Organizational personnel with contingency plan telecommunications responsibilities;organizational personnel with information system recovery responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for acquisitions/contractual agreements CP-8(1)[1] "develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan); and" CP-8(1)[2] "requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier." CONTINGENCY PLANNING CP-8(2) SINGLE POINTS OF FAILURE "Determine if the organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. " Contingency planning policy;procedures addressing primary and alternate telecommunications services;contingency plan;primary and alternate telecommunications service agreements;other relevant documents or records Organizational personnel with contingency plan telecommunications responsibilities;organizational personnel with information system recovery responsibilities;primary and alternate telecommunications service providers;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-8(3) SEPARATION OF PRIMARY / ALTERNATE PROVIDERS "Determine if the organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. " Contingency planning policy;procedures addressing primary and alternate telecommunications services;contingency plan;primary and alternate telecommunications service agreements;alternate telecommunications service provider site;primary telecommunications service provider site;other relevant documents or records Organizational personnel with contingency plan telecommunications responsibilities;organizational personnel with information system recovery responsibilities;primary and alternate telecommunications service providers;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-8(4) PROVIDER CONTINGENCY PLAN "Determine if the organization: " Contingency planning policy;procedures addressing primary and alternate telecommunications services;contingency plan;provider contingency plans;evidence of contingency testing/training by providers;primary and alternate telecommunications service agreements;other relevant documents or records Organizational personnel with contingency planning, plan implementation, and testing responsibilities;primary and alternate telecommunications service providers;organizational personnel with information security responsibilities;organizational personnel with responsibility for acquisitions/contractual agreements CP-8(4)(a) CP-8(4)(a)[1] "requires primary telecommunications service provider to have contingency plans;" CP-8(4)(a)[2] "requires alternate telecommunications service provider(s) to have contingency plans;" CP-8(4)(b) "reviews provider contingency plans to ensure that the plans meet organizational contingency requirements;" CP-8(4)(c) CP-8(4)(c)[1] "defines the frequency to obtain evidence of contingency testing/training by providers; and" CP-8(4)(c)[2] "obtains evidence of contingency testing/training by providers with the organization-defined frequency." CONTINGENCY PLANNING CP-8(5) ALTERNATE TELECOMMUNICATION SERVICE TESTING "Determine if the organization: " Contingency planning policy;procedures addressing alternate telecommunications services;contingency plan;evidence of testing alternate telecommunications services;alternate telecommunications service agreements;other relevant documents or records Automated mechanisms supporting testing alternate telecommunications services Organizational personnel with contingency planning, plan implementation, and testing responsibilities;alternate telecommunications service providers;organizational personnel with information security responsibilities CP-8(5)[1] "defines the frequency to test alternate telecommunication services; and" CP-8(5)[2] "tests alternate telecommunication services with the organization-defined frequency." CONTINGENCY PLANNING CP-9 INFORMATION SYSTEM BACKUP "Determine if the organization: " Contingency planning policy;procedures addressing information system backup;contingency plan;backup storage location(s);information system backup logs or records;other relevant documents or records Organizational processes for conducting information system backups;automated mechanisms supporting and/or implementing information system backups Organizational personnel with information system backup responsibilities;organizational personnel with information security responsibilities CP-9(a) CP-9(a)[1] "defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;" CP-9(a)[2] "conducts backups of user-level information contained in the information system with the organization-defined frequency;" CP-9(b) CP-9(b)[1] "defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;" CP-9(b)[2] "conducts backups of system-level information contained in the information system with the organization-defined frequency;" CP-9(c) CP-9(c)[1] "defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;" CP-9(c)[2] "conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and" CP-9(d) "protects the confidentiality, integrity, and availability of backup information at storage locations." CONTINGENCY PLANNING CP-9(1) TESTING FOR RELIABILITY / INTEGRITY "Determine if the organization: " Contingency planning policy;procedures addressing information system backup;contingency plan;information system backup test results;contingency plan test documentation;contingency plan test results;other relevant documents or records Organizational processes for conducting information system backups;automated mechanisms supporting and/or implementing information system backups Organizational personnel with information system backup responsibilities;organizational personnel with information security responsibilities CP-9(1)[1] "defines the frequency to test backup information to verify media reliability and information integrity; and" CP-9(1)[2] "tests backup information with the organization-defined frequency to verify media reliability and information integrity." CONTINGENCY PLANNING CP-9(2) TEST RESTORATION USING SAMPLING "Determine if the organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. " Contingency planning policy;procedures addressing information system backup;contingency plan;information system backup test results;contingency plan test documentation;contingency plan test results;other relevant documents or records Organizational processes for conducting information system backups;automated mechanisms supporting and/or implementing information system backups Organizational personnel with information system backup responsibilities;organizational personnel with contingency planning/contingency plan testing responsibilities;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-9(3) SEPARATE STORAGE FOR CRITICAL INFORMATION "Determine if the organization: " Contingency planning policy;procedures addressing information system backup;contingency plan;backup storage location(s);information system backup configurations and associated documentation;information system backup logs or records;other relevant documents or records Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with information system backup responsibilities;organizational personnel with information security responsibilities CP-9(3)[1] CP-9(3)[1][a] "defines critical information system software and other security-related information requiring backup copies to be stored in a separate facility; or" CP-9(3)[1][b] "defines critical information system software and other security-related information requiring backup copies to be stored in a fire-rated container that is not collocated with the operational system; and" CP-9(3)[2] "stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system." CONTINGENCY PLANNING CP-9(4) PROTECTION FROM UNAUTHORIZED MODIFICATION "[Withdrawn: Incorporated into CP-9]." CONTINGENCY PLANNING CP-9(5) TRANSFER TO ALTERNATE STORAGE SITE "Determine if the organization: " Contingency planning policy;procedures addressing information system backup;contingency plan;information system backup logs or records;evidence of system backup information transferred to alternate storage site;alternate storage site agreements;other relevant documents or records Organizational processes for transferring information system backups to the alternate storage site;automated mechanisms supporting and/or implementing information system backups;automated mechanisms supporting and/or implementing information transfer to the alternate storage site Organizational personnel with information system backup responsibilities;organizational personnel with information security responsibilities CP-9(5)[1] "defines a time period, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site;" CP-9(5)[2] "defines a transfer rate, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site; and" CP-9(5)[3] "transfers information system backup information to the alternate storage site with the organization-defined time period and transfer rate." CONTINGENCY PLANNING CP-9(6) REDUNDANT SECONDARY SYSTEM "Determine if the organization accomplishes information system backup by maintaining a redundant secondary system that: " Contingency planning policy;procedures addressing information system backup;contingency plan;information system backup test results;contingency plan test results;contingency plan test documentation;redundant secondary system for information system backups;location(s) of redundant secondary backup system(s);other relevant documents or records Organizational processes for maintaining redundant secondary systems;automated mechanisms supporting and/or implementing information system backups;automated mechanisms supporting and/or implementing information transfer to a redundant secondary system Organizational personnel with information system backup responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for the redundant secondary system CP-9(6)[1] "is not collocated with the primary system; and" CP-9(6)[2] "can be activated without loss of information or disruption to operations." CONTINGENCY PLANNING CP-9(7) DUAL AUTHORIZATION "Determine if the organization:" Contingency planning policy;procedures addressing information system backup;contingency plan;information system design documentation;information system configuration settings and associated documentation;system generated list of dual authorization credentials or rules;logs or records of deletion or destruction of backup information;other relevant documents or records Automated mechanisms supporting and/or implementing dual authorization;automated mechanisms supporting and/or implementing deletion/destruction of backup information Organizational personnel with information system backup responsibilities;organizational personnel with information security responsibilities CP-9(7)[1] "defines backup information that requires dual authorization to be enforced for the deletion or destruction of such information; and" CP-9(7)[2] "enforces dual authorization for the deletion or destruction of organization-defined backup information." CONTINGENCY PLANNING CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION "Determine if the organization provides for: " Contingency planning policy;procedures addressing information system backup;contingency plan;information system backup test results;contingency plan test results;contingency plan test documentation;redundant secondary system for information system backups;location(s) of redundant secondary backup system(s);other relevant documents or records Organizational processes implementing information system recovery and reconstitution operations;automated mechanisms supporting and/or implementing information system recovery and reconstitution operations Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities;organizational personnel with information security responsibilities CP-10[1] "the recovery of the information system to a known state after:" CP-10[1][a] "a disruption;" CP-10[1][b] "a compromise; or" CP-10[1][c] "a failure;" CP-10[2] "the reconstitution of the information system to a known state after:" CP-10[2][a] "a disruption;" CP-10[2][b] "a compromise; or" CP-10[2][c] "a failure." CONTINGENCY PLANNING CP-10(1) CONTINGENCY PLAN TESTING "[Withdrawn: Incorporated into CP-4]." CONTINGENCY PLANNING CP-10(2) TRANSACTION RECOVERY "Determine if the information system implements transaction recovery for systems that are transaction-based. " Contingency planning policy;procedures addressing information system recovery and reconstitution;contingency plan;information system design documentation;information system configuration settings and associated documentation;contingency plan test documentation;contingency plan test results;information system transaction recovery records;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing transaction recovery capability Organizational personnel with responsibility for transaction recovery;organizational personnel with information security responsibilities CONTINGENCY PLANNING CP-10(3) COMPENSATING SECURITY CONTROLS "[Withdrawn: Addressed through tailoring procedures]." CONTINGENCY PLANNING CP-10(4) RESTORE WITHIN TIME PERIOD "Determine if the organization: " Contingency planning policy;procedures addressing information system recovery and reconstitution;contingency plan;information system design documentation;information system configuration settings and associated documentation;contingency plan test documentation;contingency plan test results;evidence of information system recovery and reconstitution operations;other relevant documents or records Automated mechanisms supporting and/or implementing recovery/reconstitution of information system information Organizational personnel with information system recovery and reconstitution responsibilities;organizational personnel with information security responsibilities CP-10(4)[1] "defines a time period to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components; and" CP-10(4)[2] "provides the capability to restore information system components within the organization-defined time period from configuration-controlled and integrity-protected information representing a known, operational state for the components." CONTINGENCY PLANNING CP-10(5) FAILOVER CAPABILITY "[Withdrawn: Incorporated into SI-13]." CONTINGENCY PLANNING CP-10(6) COMPONENT PROTECTION "Determine if the organization protects backup and restoration: " Contingency planning policy;procedures addressing information system recovery and reconstitution;contingency plan;information system design documentation;information system configuration settings and associated documentation;logical access credentials;physical access credentials;logical access authorization records;physical access authorization records;other relevant documents or records Organizational processes for protecting backup and restoration hardware, firmware, and software;automated mechanisms supporting and/or implementing protection of backup and restoration hardware, firmware, and software Organizational personnel with information system recovery and reconstitution responsibilities;organizational personnel with information security responsibilities CP-10(6)[1] "hardware;" CP-10(6)[2] "firmware; and" CP-10(6)[3] "software." CONTINGENCY PLANNING CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS "Determine if:" Contingency planning policy;procedures addressing alternative communications protocols;contingency plan;continuity of operations plan;information system design documentation;information system configuration settings and associated documentation;list of alternative communications protocols supporting continuity of operations;other relevant documents or records Automated mechanisms employing alternative communications protocols Organizational personnel with contingency planning and plan implementation responsibilities;organizational personnel with continuity of operations planning and plan implementation responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers CP-11[1] "the organization defines alternative communications protocols to be employed in support of maintaining continuity of operations; and" CP-11[2] "the information system provides the capability to employ organization-defined alternative communications protocols in support of maintaining continuity of operations." CONTINGENCY PLANNING CP-12 SAFE MODE "Determine if: " Contingency planning policy;procedures addressing safe mode of operation for the information system;contingency plan;information system design documentation;information system configuration settings and associated documentation;information system administration manuals;information system operation manuals;information system installation manuals;contingency plan test records;incident handling records;information system audit records;other relevant documents or records Automated mechanisms implementing safe mode of operation Organizational personnel with information system operation responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers CP-12[1] "the organization defines conditions that, when detected, requires the information system to enter a safe mode of operation;" CP-12[2] "the organization defines restrictions of safe mode of operation; and" CP-12[3] "the information system, when organization-defined conditions are detected, enters a safe mode of operation with organization-defined restrictions of safe mode of operation." CONTINGENCY PLANNING CP-13 ALTERNATIVE SECURITY MECHANISMS "Determine if the organization:" Contingency planning policy;procedures addressing alternate security mechanisms;contingency plan;continuity of operations plan;information system design documentation;information system configuration settings and associated documentation;contingency plan test records;contingency plan test results;other relevant documents or records Information system capability implementing alternative security mechanisms Organizational personnel with information system operation responsibilities;organizational personnel with information security responsibilities CP-13[1] "defines alternative or supplemental security mechanisms to be employed when the primary means of implementing the security function is unavailable or compromised;" CP-13[2] "defines security functions to be satisfied using organization-defined alternative or supplemental security mechanisms when the primary means of implementing the security function is unavailable or compromised; and" CP-13[3] "employs organization-defined alternative or supplemental security mechanisms satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised." IDENTIFICATION AND AUTHENTICATION IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES "Determine if the organization:" Identification and authentication policy and procedures;other relevant documents or records Organizational personnel with identification and authentication responsibilities;organizational personnel with information security responsibilities IA-1(a)(1) IA-1(a)(1)[1] "develops and documents an identification and authentication policy that addresses:" IA-1(a)(1)[1][a] "purpose;" IA-1(a)(1)[1][b] "scope;" IA-1(a)(1)[1][c] "roles;" IA-1(a)(1)[1][d] "responsibilities;" IA-1(a)(1)[1][e] "management commitment;" IA-1(a)(1)[1][f] "coordination among organizational entities;" IA-1(a)(1)[1][g] "compliance;" IA-1(a)(1)[2] "defines personnel or roles to whom the identification and authentication policy is to be disseminated; and" IA-1(a)(1)[3] "disseminates the identification and authentication policy to organization-defined personnel or roles;" IA-1(a)(2) IA-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;" IA-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" IA-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" IA-1(b)(1) IA-1(b)(1)[1] "defines the frequency to review and update the current identification and authentication policy;" IA-1(b)(1)[2] "reviews and updates the current identification and authentication policy with the organization-defined frequency; and" IA-1(b)(2) IA-1(b)(2)[1] "defines the frequency to review and update the current identification and authentication procedures; and" IA-1(b)(2)[2] "reviews and updates the current identification and authentication procedures with the organization-defined frequency." IDENTIFICATION AND AUTHENTICATION IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) "Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)." Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of information system accounts;other relevant documents or records Organizational processes for uniquely identifying and authenticating users;automated mechanisms supporting and/or implementing identification and authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with information security responsibilities;system/network administrators;organizational personnel with account management responsibilities;system developers IDENTIFICATION AND AUTHENTICATION IA-2(1) NETWORK ACCESS TO PRIVILEGED ACCOUNTS "Determine if the information system implements multifactor authentication for network access to privileged accounts." Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing multifactor authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IDENTIFICATION AND AUTHENTICATION IA-2(2) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS "Determine if the information system implements multifactor authentication for network access to non-privileged accounts." Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing multifactor authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IDENTIFICATION AND AUTHENTICATION IA-2(3) LOCAL ACCESS TO PRIVILEGED ACCOUNTS "Determine if the information system implements multifactor authentication for local access to privileged accounts." Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing multifactor authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IDENTIFICATION AND AUTHENTICATION IA-2(4) LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS "Determine if the information system implements multifactor authentication for local access to non-privileged accounts." Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing multifactor authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IDENTIFICATION AND AUTHENTICATION IA-2(5) GROUP AUTHENTICATION "Determine if the organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed." Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing authentication capability for group accounts Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IDENTIFICATION AND AUTHENTICATION IA-2(6) NETWORK ACCESS TO PRIVILEGED ACCOUNTS –SEPARATE DEVICE "Determine if: " Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing multifactor authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-2(6)[1] "the information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;" IA-2(6)[2] "the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining network access to privileged accounts; and" IA-2(6)[3] "the information system implements multifactor authentication for network access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements." IDENTIFICATION AND AUTHENTICATION IA-2(7) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS –SEPARATE DEVICE "Determine if: " Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing multifactor authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-2(7)[1] "the information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;" IA-2(7)[2] "the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining network access to non-privileged accounts; and" IA-2(7)[3] "the information system implements multifactor authentication for network access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements." IDENTIFICATION AND AUTHENTICATION IA-2(8) NETWORK ACCESS TO PRIVILEGED ACCOUNTS – REPLAY RESISTANT "Determine if the information system implements replay-resistant authentication mechanisms for network access to privileged accounts. " Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of privileged information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability;automated mechanisms supporting and/or implementing replay resistant authentication mechanisms Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IDENTIFICATION AND AUTHENTICATION IA-2(9) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS – REPLAY RESISTANT "Determine if the information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. " Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of non-privileged information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability;automated mechanisms supporting and/or implementing replay resistant authentication mechanisms Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IDENTIFICATION AND AUTHENTICATION IA-2(10) SINGLE SIGN-ON "Determine if: " Identification and authentication policy;procedures addressing single sign-on capability for information system accounts and services;procedures addressing identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of information system accounts and services requiring single sign-on capability;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability;automated mechanisms supporting and/or implementing single sign-on capability for information system accounts and services Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-2(10)[1] "the organization defines a list of information system accounts and services for which a single sign-on capability must be provided; and" IA-2(10)[2] "the information system provides a single sign-on capability for organization-defined information system accounts and services." IDENTIFICATION AND AUTHENTICATION IA-2(11) REMOTE ACCESS – SEPARATE DEVICE "Determine if: " Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of privileged and non-privileged information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-2(11)[1] "the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;" IA-2(11)[2] "the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;" IA-2(11)[3] "the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;" IA-2(11)[4] "the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;" IA-2(11)[5] "the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; and" IA-2(11)[6] "the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements." IDENTIFICATION AND AUTHENTICATION IA-2(12) ACCEPTANCE OF PIV CREDENTIALS "Determine if the information system: " Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;PIV verification records;evidence of PIV credentials;PIV credential authorizations;other relevant documents or records Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-2(12)[1] "accepts Personal Identity Verification (PIV) credentials; and" IA-2(12)[2] "electronically verifies Personal Identity Verification (PIV) credentials." IDENTIFICATION AND AUTHENTICATION IA-2(13) OUT-OF-BAND AUTHENTICATION "Determine if: " Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;system-generated list of out-of-band authentication paths;other relevant documents or records Automated mechanisms supporting and/or implementing out-of-band authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-2(13)[1] "the organization defines out-of-band authentication to be implemented by the information system;" IA-2(13)[2] "the organization defines conditions under which the information system implements organization-defined out-of-band authentication; and" IA-2(13)[3] "the information system implements organization-defined out-of-band authentication under organization-defined conditions." IDENTIFICATION AND AUTHENTICATION IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION "Determine if: " Identification and authentication policy;procedures addressing device identification and authentication;information system design documentation;list of devices requiring unique identification and authentication;device connection reports;information system configuration settings and associated documentation;other relevant documents or records Automated mechanisms supporting and/or implementing device identification and authentication capability Organizational personnel with operational responsibilities for device identification and authentication;organizational personnel with information security responsibilities;system/network administrators;system developers IA-3[1] "the organization defines specific and/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:" IA-3[1][a] "a local connection;" IA-3[1][b] "a remote connection; and/or" IA-3[1][c] "a network connection; and" IA-3[2] "the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:" IA-3[2][a] "a local connection;" IA-3[2][b] "a remote connection; and/or" IA-3[2][c] "a network connection." IDENTIFICATION AND AUTHENTICATION IA-3(1) CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION "Determine if: " Identification and authentication policy;procedures addressing device identification and authentication;information system design documentation;list of devices requiring unique identification and authentication;device connection reports;information system configuration settings and associated documentation;other relevant documents or records Automated mechanisms supporting and/or implementing device authentication capability;cryptographically based bidirectional authentication mechanisms Organizational personnel with operational responsibilities for device identification and authentication;organizational personnel with information security responsibilities;system/network administrators;system developers IA-3(1)[1] "the organization defines specific and/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more of the following:" IA-3(1)[1][a] "a local connection;" IA-3(1)[1][b] "a remote connection; and/or" IA-3(1)[1][c] "a network connection;" IA-3(1)[2] "the information system uses cryptographically based bidirectional authentication to authenticate organization-defined devices before establishing one or more of the following:" IA-3(1)[2][a] "a local connection;" IA-3(1)[2][b] "a remote connection; and/or" IA-3(1)[2][c] "a network connection." IDENTIFICATION AND AUTHENTICATION IA-3(2) CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATION "[Withdrawn: Incorporated into IA-3(1)]." IDENTIFICATION AND AUTHENTICATION IA-3(3) DYNAMIC ADDRESS ALLOCATION "Determine if the organization: " Identification and authentication policy;procedures addressing device identification and authentication;information system design documentation;information system configuration settings and associated documentation;evidence of lease information and lease duration assigned to devices;device connection reports;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing device identification and authentication capability;automated mechanisms supporting and/or implementing dynamic address allocation;automated mechanisms supporting and/or implanting auditing of lease information Organizational personnel with operational responsibilities for device identification and authentication;organizational personnel with information security responsibilities;system/network administrators;system developers IA-3(3)(a) IA-3(3)(a)[1] "defines lease information to be employed to standardize dynamic address allocation for devices;" IA-3(3)(a)[2] "defines lease duration to be employed to standardize dynamic address allocation for devices;" IA-3(3)(a)[3] "standardizes dynamic address allocation of lease information assigned to devices in accordance with organization-defined lease information;" IA-3(3)(a)[4] "standardizes dynamic address allocation of the lease duration assigned to devices in accordance with organization-defined lease duration; and" IA-3(3)(b) "audits lease information when assigned to a device." IDENTIFICATION AND AUTHENTICATION IA-3(4) DEVICE ATTESTATION "Determine if the organization: " Identification and authentication policy;procedures addressing device identification and authentication;procedures addressing device configuration management;information system design documentation;information system configuration settings and associated documentation;configuration management records;change control records;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing device identification and authentication capability;automated mechanisms supporting and/or implementing configuration management;cryptographic mechanisms supporting device attestation Organizational personnel with operational responsibilities for device identification and authentication;organizational personnel with information security responsibilities;system/network administrators IA-3(4)[1] "defines configuration management process to be employed to handle device identification and authentication based on attestation; and" IA-3(4)[2] "ensures that device identification and authentication based on attestation is handled by organization-defined configuration management process." IDENTIFICATION AND AUTHENTICATION IA-4 IDENTIFIER MANAGEMENT "Determine if the organization manages information system identifiers by: " Identification and authentication policy;procedures addressing identifier management;procedures addressing account management;security plan;information system design documentation;information system configuration settings and associated documentation;list of information system accounts;list of identifiers generated from physical access control devices;other relevant documents or records Automated mechanisms supporting and/or implementing identifier management Organizational personnel with identifier management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-4(a) IA-4(a)[1] "defining personnel or roles from whom authorization must be received to assign:" IA-4(a)[1][a] "an individual identifier;" IA-4(a)[1][b] "a group identifier;" IA-4(a)[1][c] "a role identifier; and/or" IA-4(a)[1][d] "a device identifier;" IA-4(a)[2] "receiving authorization from organization-defined personnel or roles to assign:" IA-4(a)[2][a] "an individual identifier;" IA-4(a)[2][b] "a group identifier;" IA-4(a)[2][c] "a role identifier; and/or" IA-4(a)[2][d] "a device identifier;" IA-4(b) "selecting an identifier that identifies:" IA-4(b)[1] "an individual;" IA-4(b)[2] "a group;" IA-4(b)[3] "a role; and/or" IA-4(b)[4] "a device;" IA-4(c) "assigning the identifier to the intended:" IA-4(c)[1] "individual;" IA-4(c)[2] "group;" IA-4(c)[3] "role; and/or" IA-4(c)[4] "device;" IA-4(d) IA-4(d)[1] "defining a time period for preventing reuse of identifiers;" IA-4(d)[2] "preventing reuse of identifiers for the organization-defined time period;" IA-4(e) IA-4(e)[1] "defining a time period of inactivity to disable the identifier; and" IA-4(e)[2] "disabling the identifier after the organization-defined time period of inactivity." IDENTIFICATION AND AUTHENTICATION IA-4(1) PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS "Determine if the organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. " Identification and authentication policy;procedures addressing identifier management;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing identifier management Organizational personnel with identifier management responsibilities;organizational personnel with information security responsibilities;system/network administrators IDENTIFICATION AND AUTHENTICATION IA-4(2) SUPERVISOR AUTHORIZATION "Determine if the organization requires that the registration process to receive an individual identifier includes supervisor authorization. " Identification and authentication policy;procedures addressing identifier management;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing identifier management Organizational personnel with identifier management responsibilities;supervisors responsible for authorizing identifier registration;organizational personnel with information security responsibilities;system/network administrators IDENTIFICATION AND AUTHENTICATION IA-4(3) MULTIPLE FORMS OF CERTIFICATION "Determine if the organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority." Identification and authentication policy;procedures addressing identifier management;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing identifier management Organizational personnel with identifier management responsibilities;organizational personnel with information security responsibilities IDENTIFICATION AND AUTHENTICATION IA-4(4) IDENTIFY USER STATUS "Determine if the organization: " Identification and authentication policy;procedures addressing identifier management;procedures addressing account management;list of characteristics identifying individual status;other relevant documents or records Automated mechanisms supporting and/or implementing identifier management Organizational personnel with identifier management responsibilities;organizational personnel with information security responsibilities;system/network administrators IA-4(4)[1] "defines a characteristic to be used to identify individual status; and" IA-4(4)[2] "manages individual identifiers by uniquely identifying each individual as the organization-defined characteristic identifying individual status." IDENTIFICATION AND AUTHENTICATION IA-4(5) DYNAMIC MANAGEMENT "Determine if the information system dynamically manages identifiers. " Identification and authentication policy;procedures addressing identifier management;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing dynamic identifier management Organizational personnel with identifier management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IDENTIFICATION AND AUTHENTICATION IA-4(6) CROSS-ORGANIZATION MANAGEMENT "Determine if the organization: " Identification and authentication policy;procedures addressing identifier management;procedures addressing account management;security plan;other relevant documents or records Automated mechanisms supporting and/or implementing identifier management Organizational personnel with identifier management responsibilities;organizational personnel with information security responsibilities IA-4(6)[1] "defines external organizations with whom to coordinate cross-organization management of identifiers; and" IA-4(6)[2] "coordinates with organization-defined external organizations for cross-organization management of identifiers." IDENTIFICATION AND AUTHENTICATION IA-4(7) IN-PERSON REGISTRATION "Determine if the organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority. " Identification and authentication policy;procedures addressing identifier management;procedures addressing account management;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational personnel with identifier management responsibilities;organizational personnel with information security responsibilities IDENTIFICATION AND AUTHENTICATION IA-5 AUTHENTICATOR MANAGEMENT "Determine if the organization manages information system authenticators by: " Identification and authentication policy;procedures addressing authenticator management;information system design documentation;information system configuration settings and associated documentation;list of information system authenticator types;change control records associated with managing information system authenticators;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing authenticator management capability Organizational personnel with authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators IA-5(a) "verifying, as part of the initial authenticator distribution, the identity of:" IA-5(a)[1] "the individual receiving the authenticator;" IA-5(a)[2] "the group receiving the authenticator;" IA-5(a)[3] "the role receiving the authenticator; and/or" IA-5(a)[4] "the device receiving the authenticator;" IA-5(b) "establishing initial authenticator content for authenticators defined by the organization;" IA-5(c) "ensuring that authenticators have sufficient strength of mechanism for their intended use;" IA-5(d) IA-5(d)[1] "establishing and implementing administrative procedures for initial authenticator distribution;" IA-5(d)[2] "establishing and implementing administrative procedures for lost/compromised or damaged authenticators;" IA-5(d)[3] "establishing and implementing administrative procedures for revoking authenticators;" IA-5(e) "changing default content of authenticators prior to information system installation;" IA-5(f) IA-5(f)[1] "establishing minimum lifetime restrictions for authenticators;" IA-5(f)[2] "establishing maximum lifetime restrictions for authenticators;" IA-5(f)[3] "establishing reuse conditions for authenticators;" IA-5(g) IA-5(g)[1] "defining a time period (by authenticator type) for changing/refreshing authenticators;" IA-5(g)[2] "changing/refreshing authenticators with the organization-defined time period by authenticator type;" IA-5(h) "protecting authenticator content from unauthorized:" IA-5(h)[1] "disclosure;" IA-5(h)[2] "modification;" IA-5(i) IA-5(i)[1] "requiring individuals to take specific security safeguards to protect authenticators;" IA-5(i)[2] "having devices implement specific security safeguards to protect authenticators; and" IA-5(j) "changing authenticators for group/role accounts when membership to those accounts changes." IDENTIFICATION AND AUTHENTICATION IA-5(1) PASSWORD-BASED AUTHENTICATION "Determine if, for password-based authentication: " Identification and authentication policy;password policy;procedures addressing authenticator management;security plan;information system design documentation;information system configuration settings and associated documentation;password configurations and associated documentation;other relevant documents or records Automated mechanisms supporting and/or implementing password-based authenticator management capability Organizational personnel with authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-5(1)(a) IA-5(1)(a)[1] "the organization defines requirements for case sensitivity;" IA-5(1)(a)[2] "the organization defines requirements for number of characters;" IA-5(1)(a)[3] "the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;" IA-5(1)(a)[4] "the organization defines minimum requirements for each type of character;" IA-5(1)(a)[5] "the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;" IA-5(1)(b) IA-5(1)(b)[1] "the organization defines a minimum number of changed characters to be enforced when new passwords are created;" IA-5(1)(b)[2] "the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;" IA-5(1)(c) "the information system stores and transmits only encrypted representations of passwords;" IA-5(1)(d) IA-5(1)(d)[1] "the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;" IA-5(1)(d)[2] "the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;" IA-5(1)(d)[3] "the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;" IA-5(1)(d)[4] "the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;" IA-5(1)(e) IA-5(1)(e)[1] "the organization defines the number of password generations to be prohibited from password reuse;" IA-5(1)(e)[2] "the information system prohibits password reuse for the organization-defined number of generations; and" IA-5(1)(f) "the information system allows the use of a temporary password for system logons with an immediate change to a permanent password." IDENTIFICATION AND AUTHENTICATION IA-5(2) PKI-BASED AUTHENTICATION "Determine if the information system, for PKI-based authentication: " Identification and authentication policy;procedures addressing authenticator management;security plan;information system design documentation;information system configuration settings and associated documentation;PKI certification validation records;PKI certification revocation lists;other relevant documents or records Automated mechanisms supporting and/or implementing PKI-based, authenticator management capability Organizational personnel with PKI-based, authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-5(2)(a) IA-5(2)(a)[1] "validates certifications by constructing a certification path to an accepted trust anchor;" IA-5(2)(a)[2] "validates certifications by verifying a certification path to an accepted trust anchor;" IA-5(2)(a)[3] "includes checking certificate status information when constructing and verifying the certification path;" IA-5(2)(b) "enforces authorized access to the corresponding private key;" IA-5(2)(c) "maps the authenticated identity to the account of the individual or group; and" IA-5(2)(d) "implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network." IDENTIFICATION AND AUTHENTICATION IA-5(3) IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION "Determine if the organization: " Identification and authentication policy;procedures addressing authenticator management;registration process for receiving information system authenticators;list of authenticators requiring in-person registration;list of authenticators requiring trusted third party registration;authenticator registration documentation;other relevant documents or records Organizational personnel with authenticator management responsibilities;registration authority;organizational personnel with information security responsibilities IA-5(3)[1] "defines types of and/or specific authenticators to be received in person or by a trusted third party;" IA-5(3)[2] "defines the registration authority with oversight of the registration process for receipt of organization-defined types of and/or specific authenticators;" IA-5(3)[3] "defines personnel or roles responsible for authorizing organization-defined registration authority;" IA-5(3)[4] "defines if the registration process is to be conducted:" IA-5(3)[4][a] "in person; or" IA-5(3)[4][b] "by a trusted third party; and" IA-5(3)[5] "requires that the registration process to receive organization-defined types of and/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles." IDENTIFICATION AND AUTHENTICATION IA-5(4) AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION "Determine if the organization: " Identification and authentication policy;procedures addressing authenticator management;information system design documentation;information system configuration settings and associated documentation;automated tools for evaluating password authenticators;password strength assessment results;other relevant documents or records Automated mechanisms supporting and/or implementing password-based authenticator management capability;automated tools for determining password strength Organizational personnel with authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators IA-5(4)[1] "defines requirements to be satisfied by password authenticators; and" IA-5(4)[2] "employs automated tools to determine if password authenticators are sufficiently strong to satisfy organization-defined requirements." IDENTIFICATION AND AUTHENTICATION IA-5(5) CHANGE AUTHENTICATORS PRIOR TO DELIVERY "Determine if the organization requires developers/installers of information system components to: " Identification and authentication policy;system and services acquisition policy;procedures addressing authenticator management;procedures addressing the integration of security requirements into the acquisition process;acquisition documentation;acquisition contracts for information system procurements or services;other relevant documents or records Automated mechanisms supporting and/or implementing authenticator management capability Organizational personnel with authenticator management responsibilities;organizational personnel with information system security, acquisition, and contracting responsibilities;system developers IA-5(5)[1] "provide unique authenticators prior to delivery/installation; or" IA-5(5)[2] "change default authenticators prior to delivery/installation." IDENTIFICATION AND AUTHENTICATION IA-5(6) PROTECTION OF AUTHENTICATORS "Determine if the organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access." Identification and authentication policy;procedures addressing authenticator management;security categorization documentation for the information system;security assessments of authenticator protections;risk assessment results;security plan;other relevant documents or records Automated mechanisms supporting and/or implementing authenticator management capability;automated mechanisms protecting authenticators Organizational personnel with authenticator management responsibilities;organizational personnel implementing and/or maintaining authenticator protections;organizational personnel with information security responsibilities;system/network administrators IDENTIFICATION AND AUTHENTICATION IA-5(7) NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS "Determine if the organization ensures that unencrypted static authenticators are not: " Identification and authentication policy;procedures addressing authenticator management;information system design documentation;information system configuration settings and associated documentation;logical access scripts;application code reviews for detecting unencrypted static authenticators;other relevant documents or records Automated mechanisms supporting and/or implementing authenticator management capability;automated mechanisms implementing authentication in applications Organizational personnel with authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-5(7)[1] "embedded in applications;" IA-5(7)[2] "embedded in access scripts; or" IA-5(7)[3] "stored on function keys." IDENTIFICATION AND AUTHENTICATION IA-5(8) MULTIPLE INFORMATION SYSTEM ACCOUNTS "Determine if the organization: " Identification and authentication policy;procedures addressing authenticator management;security plan;list of individuals having accounts on multiple information systems;list of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple information systems;other relevant documents or records Automated mechanisms supporting and/or implementing safeguards for authenticator management Organizational personnel with authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators IA-5(8)[1] "defines security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems; and" IA-5(8)[2] "implements organization-defined security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems." IDENTIFICATION AND AUTHENTICATION IA-5(9) CROSS-ORGANIZATIONAL CREDENTIAL MANAGEMENT "Determine if the organization: " Identification and authentication policy;procedures addressing authenticator management;procedures addressing account management;security plan;information security agreements;other relevant documents or records Automated mechanisms supporting and/or implementing safeguards for authenticator management Organizational personnel with authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators IA-5(9)[1] "defines external organizations with whom to coordinate cross-organizational management of credentials; and" IA-5(9)[2] "coordinates with organization-defined external organizations for cross-organizational management of credentials." IDENTIFICATION AND AUTHENTICATION IA-5(10) DYNAMIC CREDENTIAL ASSOCIATION "Determine if the information system dynamically provisions identifiers." Identification and authentication policy;procedures addressing identifier management;security plan;information system design documentation;automated mechanisms providing dynamic binding of identifiers and authenticators;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing identifier management capability;automated mechanisms implementing dynamic provisioning of identifiers Organizational personnel with identifier management responsibilities;organizational personnel with information security responsibilities;system/network administrators IDENTIFICATION AND AUTHENTICATION IA-5(11) HARDWARE TOKEN-BASED AUTHENTICATION "Determine if, for hardware token-based authentication: " Identification and authentication policy;procedures addressing authenticator management;security plan;information system design documentation;automated mechanisms employing hardware token-based authentication for the information system;list of token quality requirements;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability Organizational personnel with authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-5(11)[1] "the organization defines token quality requirements to be satisfied; and" IA-5(11)[2] "the information system employs mechanisms that satisfy organization-defined token quality requirements." IDENTIFICATION AND AUTHENTICATION IA-5(12) BIOMETRIC AUTHENTICATION "Determine if, for biometric-based authentication: " Identification and authentication policy;procedures addressing authenticator management;security plan;information system design documentation;automated mechanisms employing biometric-based authentication for the information system;list of biometric quality requirements;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing biometric-based authenticator management capability Organizational personnel with authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-5(12)[1] "the organization defines biometric quality requirements to be satisfied; and" IA-5(12)[2] "the information system employs mechanisms that satisfy organization-defined biometric quality requirements." IDENTIFICATION AND AUTHENTICATION IA-5(13) EXPIRATION OF CACHED AUTHENTICATORS "Determine if: " Identification and authentication policy;procedures addressing authenticator management;security plan;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing authenticator management capability Organizational personnel with authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-5(13)[1] "the organization defines the time period after which the information system is to prohibit the use of cached authenticators; and" IA-5(13)[2] "the information system prohibits the use of cached authenticators after the organization-defined time period." IDENTIFICATION AND AUTHENTICATION IA-5(14) MANAGING CONTENT OF PKI TRUST STORES "Determine if the organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including: " Identification and authentication policy;procedures addressing authenticator management;security plan;organizational methodology for managing content of PKI trust stores across installed all platforms;information system design documentation;information system configuration settings and associated documentation;enterprise security architecture documentation;enterprise architecture documentation;other relevant documents or records Automated mechanisms supporting and/or implementing PKI-based authenticator management capability;automated mechanisms supporting and/or implementing the PKI trust store capability Organizational personnel with authenticator management responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers IA-5(14)[1] "networks;" IA-5(14)[2] "operating systems;" IA-5(14)[3] "browsers; and" IA-5(14)[4] "applications." IDENTIFICATION AND AUTHENTICATION IA-5(15) FICAM-APPROVED PRODUCTS AND SERVICES "Determine if the organization uses only FICAM-approved path discovery and validation products and services." Identification and authentication policy;procedures addressing identifier management;security plan;information system design documentation;automated mechanisms providing dynamic binding of identifiers and authenticators;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing account management capability;automated mechanisms supporting and/or implementing identification and authentication management capability for the information system Organizational personnel with identification and authentication management responsibilities;organizational personnel with information security responsibilities;system/network administrators IDENTIFICATION AND AUTHENTICATION IA-6 AUTHENTICATOR FEEDBACK "Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals." Identification and authentication policy;procedures addressing authenticator feedback;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication Organizational personnel with information security responsibilities;system/network administrators;system developers IDENTIFICATION AND AUTHENTICATION IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION "Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication." Identification and authentication policy;procedures addressing cryptographic module authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing cryptographic module authentication Organizational personnel with responsibility for cryptographic module authentication;organizational personnel with information security responsibilities;system/network administrators;system developers IDENTIFICATION AND AUTHENTICATION IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) "Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)." Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of information system accounts;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with information security responsibilities;system/network administrators;organizational personnel with account management responsibilities IDENTIFICATION AND AUTHENTICATION IA-8(1) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES "Determine if the information system: " Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;PIV verification records;evidence of PIV credentials;PIV credential authorizations;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability;automated mechanisms that accept and verify PIV credentials Organizational personnel with information system operations responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers;organizational personnel with account management responsibilities IA-8(1)[1] "accepts Personal Identity Verification (PIV) credentials from other agencies; and" IA-8(1)[2] "electronically verifies Personal Identity Verification (PIV) credentials from other agencies." IDENTIFICATION AND AUTHENTICATION IA-8(2) ACCEPTANCE OF THIRD-PARTY CREDENTIALS "Determine if the information system accepts only FICAM-approved third-party credentials. " Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization;third-party credential verification records;evidence of FICAM-approved third-party credentials;third-party credential authorizations;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability;automated mechanisms that accept FICAM-approved credentials Organizational personnel with information system operations responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers;organizational personnel with account management responsibilities IDENTIFICATION AND AUTHENTICATION IA-8(3) USE OF FICAM-APPROVED PRODUCTS "Determine if the organization: " Identification and authentication policy;system and services acquisition policy;procedures addressing user identification and authentication;procedures addressing the integration of security requirements into the acquisition process;information system design documentation;information system configuration settings and associated documentation;information system audit records;third-party credential validations;third-party credential authorizations;third-party credential records;list of FICAM-approved information system components procured and implemented by organization;acquisition documentation;acquisition contracts for information system procurements or services;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability Organizational personnel with information system operations responsibilities;system/network administrators;organizational personnel with account management responsibilities;organizational personnel with information system security, acquisition, and contracting responsibilities IA-8(3)[1] "defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and" IA-8(3)[2] "employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials." IDENTIFICATION AND AUTHENTICATION IA-8(4) USE OF FICAM-ISSUED PROFILES "Determine if the information system conforms to FICAM-issued profiles. " Identification and authentication policy;system and services acquisition policy;procedures addressing user identification and authentication;procedures addressing the integration of security requirements into the acquisition process;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of FICAM-issued profiles and associated, approved protocols;acquisition documentation;acquisition contracts for information system procurements or services;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability;automated mechanisms supporting and/or implementing conformance with FICAM-issued profiles Organizational personnel with information system operations responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers;organizational personnel with account management responsibilities IDENTIFICATION AND AUTHENTICATION IA-8(5) ACCEPTANCE OF PIV-I CREDENTIALS "Determine if the information system: " Identification and authentication policy;procedures addressing user identification and authentication;information system design documentation;information system configuration settings and associated documentation;information system audit records;PIV-I verification records;evidence of PIV-I credentials;PIV-I credential authorizations;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability;automated mechanisms that accept and verify PIV-I credentials Organizational personnel with information system operations responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers;organizational personnel with account management responsibilities IA-8(5)[1] "accepts Personal Identity Verification-I (PIV-I) credentials; and" IA-8(5)[2] "electronically verifies Personal Identity Verification-I (PIV-I) credentials." IDENTIFICATION AND AUTHENTICATION IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION "Determine if the organization: " Identification and authentication policy;procedures addressing service identification and authentication;security plan;information system design documentation;security safeguards used to identify and authenticate information system services;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Security safeguards implementing service identification and authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers;organizational personnel with identification and authentication responsibilities IA-9[1] "defines information system services to be identified and authenticated using security safeguards;" IA-9[2] "defines security safeguards to be used to identify and authenticate organization-defined information system services; and" IA-9[3] "identifies and authenticates organization-defined information system services using organization-defined security safeguards." IDENTIFICATION AND AUTHENTICATION IA-9(1) INFORMATION EXCHANGE "Determine if the organization ensures that service providers: " Identification and authentication policy;procedures addressing service identification and authentication;security plan;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing service identification and authentication capabilities Organizational personnel with identification and authentication responsibilities;organizational personnel with information security responsibilities;system/network administrators;service providers IA-9(1)[1] "receive identification and authentication information;" IA-9(1)[2] "validate identification and authentication information; and" IA-9(1)[3] "transmit identification and authentication information." IDENTIFICATION AND AUTHENTICATION IA-9(2) TRANSMISSION OF DECISIONS "Determine if the organization: " Identification and authentication policy;procedures addressing service identification and authentication;security plan;information system design documentation;information system configuration settings and associated documentation;information system audit records;transmission records;transmission verification records;rules for identification and authentication transmission decisions between organizational services;other relevant documents or records Automated mechanisms implementing service identification and authentication capabilities Organizational personnel with identification and authentication responsibilities;organizational personnel with information security responsibilities;system/network administrators IA-9(2)[1] "defines services for which identification and authentication decisions transmitted between such services are to be consistent with organizational policies; and" IA-9(2)[2] "ensures that identification and authentication decisions are transmitted between organization-defined services consistent with organizational policies." IDENTIFICATION AND AUTHENTICATION IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION "Determine if the organization: " Identification and authentication policy;procedures addressing adaptive/ supplemental identification and authentication techniques or mechanisms;security plan;information system design documentation;information system configuration settings and associated documentation;supplemental identification and authentication techniques or mechanisms;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers;organizational personnel with identification and authentication responsibilities IA-10[1] "defines specific circumstances or situations that require individuals accessing the information system to employ supplemental authentication techniques or mechanisms;" IA-10[2] "defines supplemental authentication techniques or mechanisms to be employed when accessing the information system under specific organization-defined circumstances or situations; and" IA-10[3] "requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations." IDENTIFICATION AND AUTHENTICATION IA-11 RE-AUTHENTICATION "Determine if the organization: " Identification and authentication policy;procedures addressing user and device re-authentication;security plan;information system design documentation;information system configuration settings and associated documentation;list of circumstances or situations requiring re-authentication;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing identification and authentication capability Organizational personnel with information system operations responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers;organizational personnel with identification and authentication responsibilities IA-11[1] "defines circumstances or situations requiring re-authentication;" IA-11[2] "requires users to re-authenticate when organization-defined circumstances or situations require re-authentication; and" IA-11[3] "requires devices to re-authenticate when organization-defined circumstances or situations require re-authentication." INCIDENT RESPONSE IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES "Determine if the organization:" Incident response policy and procedures;other relevant documents or records Organizational personnel with incident response responsibilities;organizational personnel with information security responsibilities IR-1(a)(1) IR-1(a)(1)[1] "develops and documents an incident response policy that addresses:" IR-1(a)(1)[1][a] "purpose;" IR-1(a)(1)[1][b] "scope;" IR-1(a)(1)[1][c] "roles;" IR-1(a)(1)[1][d] "responsibilities;" IR-1(a)(1)[1][e] "management commitment;" IR-1(a)(1)[1][f] "coordination among organizational entities;" IR-1(a)(1)[1][g] "compliance;" IR-1(a)(1)[2] "defines personnel or roles to whom the incident response policy is to be disseminated;" IR-1(a)(1)[3] "disseminates the incident response policy to organization-defined personnel or roles;" IR-1(a)(2) IR-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;" IR-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" IR-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" IR-1(b)(1) IR-1(b)(1)[1] "defines the frequency to review and update the current incident response policy;" IR-1(b)(1)[2] "reviews and updates the current incident response policy with the organization-defined frequency;" IR-1(b)(2) IR-1(b)(2)[1] "defines the frequency to review and update the current incident response procedures; and" IR-1(b)(2)[2] "reviews and updates the current incident response procedures with the organization-defined frequency." INCIDENT RESPONSE IR-2 INCIDENT RESPONSE TRAINING "Determine if the organization:" Incident response policy;procedures addressing incident response training;incident response training curriculum;incident response training materials;security plan;incident response plan;security plan;incident response training records;other relevant documents or records Organizational personnel with incident response training and operational responsibilities;organizational personnel with information security responsibilities IR-2(a) IR-2(a)[1] "defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;" IR-2(a)[2] "provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;" IR-2(b) "provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;" IR-2(c) IR-2(c)[1] "defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and" IR-2(c)[2] "after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training." INCIDENT RESPONSE IR-2(1) SIMULATED EVENTS "Determine if the organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. " Incident response policy;procedures addressing incident response training;incident response training curriculum;incident response training materials;incident response plan;security plan;other relevant documents or records Automated mechanisms that support and/or implement simulated events for incident response training Organizational personnel with incident response training and operational responsibilities;organizational personnel with information security responsibilities INCIDENT RESPONSE IR-2(2) AUTOMATED TRAINING ENVIRONMENTS "Determine if the organization employs automated mechanisms to provide a more thorough and realistic incident response training environment. " Incident response policy;procedures addressing incident response training;incident response training curriculum;incident response training materials;automated mechanisms supporting incident response training;incident response plan;security plan;other relevant documents or records Automated mechanisms that provide a thorough and realistic incident response training environment Organizational personnel with incident response training and operational responsibilities;organizational personnel with information security responsibilities INCIDENT RESPONSE IR-3 INCIDENT RESPONSE TESTING "Determine if the organization: " Incident response policy;contingency planning policy;procedures addressing incident response testing;procedures addressing contingency plan testing;incident response testing material;incident response test results;incident response test plan;incident response plan;contingency plan;security plan;other relevant documents or records Organizational personnel with incident response testing responsibilities;organizational personnel with information security responsibilities IR-3[1] "defines incident response tests to test the incident response capability for the information system;" IR-3[2] "defines the frequency to test the incident response capability for the information system; and" IR-3[3] "tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results." INCIDENT RESPONSE IR-3(1) AUTOMATED TESTING "Determine if the organization employs automated mechanisms to more thoroughly and effectively test the incident response capability." Incident response policy;contingency planning policy;procedures addressing incident response testing;procedures addressing contingency plan testing;incident response testing documentation;incident response test results;incident response test plan;incident response plan;contingency plan;security plan;automated mechanisms supporting incident response tests;other relevant documents or records Automated mechanisms that more thoroughly and effectively test the incident response capability Organizational personnel with incident response testing responsibilities;organizational personnel with information security responsibilities INCIDENT RESPONSE IR-3(2) COORDINATION WITH RELATED PLANS "Determine if the organization coordinates incident response testing with organizational elements responsible for related plans. " Incident response policy;contingency planning policy;procedures addressing incident response testing;incident response testing documentation;incident response plan;business continuity plans;contingency plans;disaster recovery plans;continuity of operations plans;crisis communications plans;critical infrastructure plans;occupant emergency plans;security plan;other relevant documents or records Organizational personnel with incident response testing responsibilities;organizational personnel with responsibilities for testing organizational plans related to incident response testing;organizational personnel with information security responsibilities INCIDENT RESPONSE IR-4 INCIDENT HANDLING "Determine if the organization:" Incident response policy;contingency planning policy;procedures addressing incident handling;incident response plan;contingency plan;security plan;other relevant documents or records Incident handling capability for the organization Organizational personnel with incident handling responsibilities;organizational personnel with contingency planning responsibilities;organizational personnel with information security responsibilities IR-4(a) "implements an incident handling capability for security incidents that includes:" IR-4(a)[1] "preparation;" IR-4(a)[2] "detection and analysis;" IR-4(a)[3] "containment;" IR-4(a)[4] "eradication;" IR-4(a)[5] "recovery;" IR-4(b) "coordinates incident handling activities with contingency planning activities;" IR-4(c) IR-4(c)[1] "incorporates lessons learned from ongoing incident handling activities into:" IR-4(c)[1][a] "incident response procedures;" IR-4(c)[1][b] "training;" IR-4(c)[1][c] "testing/exercises;" IR-4(c)[2] "implements the resulting changes accordingly to:" IR-4(c)[2][a] "incident response procedures;" IR-4(c)[2][b] "training; and" IR-4(c)[2][c] "testing/exercises." INCIDENT RESPONSE IR-4(1) AUTOMATED INCIDENT HANDLING PROCESSES "Determine if the organization employs automated mechanisms to support the incident handling process. " Incident response policy;procedures addressing incident handling;automated mechanisms supporting incident handling;information system design documentation;information system configuration settings and associated documentation;information system audit records;incident response plan;security plan;other relevant documents or records Automated mechanisms that support and/or implement the incident handling process Organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities INCIDENT RESPONSE IR-4(2) DYNAMIC RECONFIGURATION "Determine if the organization:" Incident response policy;procedures addressing incident handling;automated mechanisms supporting incident handling;list of system components to be dynamically reconfigured as part of incident response capability;information system design documentation;information system configuration settings and associated documentation;information system audit records;incident response plan;security plan;other relevant documents or records Automated mechanisms that support and/or implement dynamic reconfiguration of components as part of incident response Organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities IR-4(2)[1] "defines information system components to be dynamically reconfigured as part of the incident response capability; and" IR-4(2)[2] "includes dynamic reconfiguration of organization-defined information system components as part of the incident response capability." INCIDENT RESPONSE IR-4(3) CONTINUITY OF OPERATIONS "Determine if the organization:" Incident response policy;procedures addressing incident handling;incident response plan;security plan;list of classes of incidents;list of appropriate incident response actions;other relevant documents or records Automated mechanisms that support and/or implement continuity of operations Organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities IR-4(3)[1] "defines classes of incidents requiring an organization-defined action to be taken;" IR-4(3)[2] "defines actions to be taken in response to organization-defined classes of incidents; and" IR-4(3)[3] "identifies organization-defined classes of incidents and organization-defined actions to take in response to classes of incidents to ensure continuation of organizational missions and business functions." INCIDENT RESPONSE IR-4(4) INFORMATION CORRELATION "Determine if the organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. " Incident response policy;procedures addressing incident handling;incident response plan;security plan;automated mechanisms supporting incident and event correlation;information system design documentation;information system configuration settings and associated documentation;incident management correlation logs;event management correlation logs;security information and event management logs;incident management correlation reports;event management correlation reports;security information and event management reports;audit records;other relevant documents or records Organizational processes for correlating incident information and individual incident responses;automated mechanisms that support and or implement correlation of incident response information with individual incident responses Organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities;organizational personnel with whom incident information and individual incident responses are to be correlated INCIDENT RESPONSE IR-4(5) AUTOMATIC DISABLING OF INFORMATION SYSTEM. "Determine if the organization:" Incident response policy;procedures addressing incident handling;automated mechanisms supporting incident handling;information system design documentation;information system configuration settings and associated documentation;incident response plan;security plan;other relevant documents or records Incident handling capability for the organization;automated mechanisms supporting and/or implementing automatic disabling of the information system Organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities;system developers IR-4(5)[1] "defines security violations that, if detected, initiate a configurable capability to automatically disable the information system; and" IR-4(5)[2] "implements a configurable capability to automatically disable the information system if any of the organization-defined security violations are detected." INCIDENT RESPONSE IR-4(6) INSIDER THREATS – SPECIFIC CAPABILITIES "Determine if the organization implements incident handling capability for insider threats." Incident response policy;procedures addressing incident handling;automated mechanisms supporting incident handling;information system design documentation;information system configuration settings and associated documentation;incident response plan;security plan;audit records;other relevant documents or records Incident handling capability for the organization Organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities INCIDENT RESPONSE IR-4(7) INSIDER THREATS – INTRA-ORGANIZATION COORDINATION "Determine if the organization:" Incident response policy;procedures addressing incident handling;incident response plan;security plan;other relevant documents or records Organizational processes for coordinating incident handling Organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities;organizational personnel/elements with whom incident handling capability is to be coordinated IR-4(7)[1] "defines components or elements of the organization with whom the incident handling capability for insider threats is to be coordinated; and" IR-4(7)[2] "coordinates incident handling capability for insider threats across organization-defined components or elements of the organization." INCIDENT RESPONSE IR-4(8) CORRELATION WITH EXTERNAL ORGANIZATIONS "Determine if the organization: " Incident response policy;procedures addressing incident handling;list of external organizations;records of incident handling coordination with external organizations;incident response plan;security plan;other relevant documents or records Organizational processes for coordinating incident handling information with external organizations Organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities;personnel from external organizations with whom incident response information is to be coordinated/shared/correlated IR-4(8)[1] "defines external organizations with whom organizational incident information is to be coordinated;" IR-4(8)[2] "defines incident information to be correlated and shared with organization-defined external organizations; and" IR-4(8)[3] "the organization coordinates with organization-defined external organizations to correlate and share organization-defined information to achieve a cross-organization perspective on incident awareness and more effective incident responses." INCIDENT RESPONSE IR-4(9) DYNAMIC RESPONSE CAPABILITY "Determine if the organization: " Incident response policy;procedures addressing incident handling;automated mechanisms supporting dynamic response capabilities;information system design documentation;information system configuration settings and associated documentation;incident response plan;security plan;audit records;other relevant documents or records Organizational processes for dynamic response capability;automated mechanisms supporting and/or implementing the dynamic response capability for the organization Organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities IR-4(9)[1] "defines dynamic response capabilities to be employed to effectively respond to security incidents; and" IR-4(9)[2] "employs organization-defined dynamic response capabilities to effectively respond to security incidents." INCIDENT RESPONSE IR-4(10) SUPPLY CHAIN COORDINATION "Determine if the organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain." Incident response policy;procedures addressing supply chain coordination;acquisition contracts;service-level agreements;incident response plan;security plan;incident response plans of other organization involved in supply chain activities;other relevant documents or records Organizational personnel with incident handling responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain responsibilities INCIDENT RESPONSE IR-5 INCIDENT MONITORING "Determine if the organization: " Incident response policy;procedures addressing incident monitoring;incident response records and documentation;incident response plan;security plan;other relevant documents or records Incident monitoring capability for the organization;automated mechanisms supporting and/or implementing tracking and documenting of system security incidents Organizational personnel with incident monitoring responsibilities;organizational personnel with information security responsibilities IR-5[1] "tracks information system security incidents; and" IR-5[2] "documents information system security incidents." INCIDENT RESPONSE IR-5(1) AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS "Determine if the organization employs automated mechanisms to assist in:" Incident response policy;procedures addressing incident monitoring;automated mechanisms supporting incident monitoring;information system design documentation;information system configuration settings and associated documentation;incident response plan;security plan;audit records;other relevant documents or records Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information Organizational personnel with incident monitoring responsibilities;organizational personnel with information security responsibilities IR-5(1)[1] "the tracking of security incidents;" IR-5(1)[2] "the collection of incident information; and" IR-5(1)[3] "the analysis of incident information." INCIDENT RESPONSE IR-6 INCIDENT REPORTING "Determine if the organization:" Incident response policy;procedures addressing incident reporting;incident reporting records and documentation;incident response plan;security plan;other relevant documents or records Organizational processes for incident reporting;automated mechanisms supporting and/or implementing incident reporting Organizational personnel with incident reporting responsibilities;organizational personnel with information security responsibilities;personnel who have/should have reported incidents;personnel (authorities) to whom incident information is to be reported IR-6(a) IR-6(a)[1] "defines the time period within which personnel report suspected security incidents to the organizational incident response capability;" IR-6(a)[2] "requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;" IR-6(b) IR-6(b)[1] "defines authorities to whom security incident information is to be reported; and" IR-6(b)[2] "reports security incident information to organization-defined authorities." INCIDENT RESPONSE IR-6(1) AUTOMATED REPORTING "Determine if the organization employs automated mechanisms to assist in the reporting of security incidents." Incident response policy;procedures addressing incident reporting;automated mechanisms supporting incident reporting;information system design documentation;information system configuration settings and associated documentation;incident response plan;security plan;other relevant documents or records Organizational processes for incident reporting;automated mechanisms supporting and/or implementing reporting of security incidents Organizational personnel with incident reporting responsibilities;organizational personnel with information security responsibilities INCIDENT RESPONSE IR-6(2) VULNERABILITIES RELATED TO INCIDENTS "Determine if the organization:" Incident response policy;procedures addressing incident reporting;incident response plan;security plan;security incident reports and associated information system vulnerabilities;other relevant documents or records Organizational processes for incident reporting;automated mechanisms supporting and/or implementing reporting of vulnerabilities associated with security incidents Organizational personnel with incident reporting responsibilities;organizational personnel with information security responsibilities;system/network administrators;personnel to whom vulnerabilities associated with security incidents are to be reported IR-6(2)[1] "defines personnel or roles to whom information system vulnerabilities associated with reported security incidents are to be reported; and" IR-6(2)[2] "reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles." INCIDENT RESPONSE IR-6(3) COORDINATION WITH SUPPLY CHAIN "Determine if the organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident." Incident response policy;procedures addressing supply chain coordination;acquisition contracts;service-level agreements;incident response plan;security plan;plans of other organization involved in supply chain activities;other relevant documents or records Organizational processes for incident reporting;automated mechanisms supporting and/or implementing reporting of incident information involved in the supply chain Organizational personnel with incident reporting responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain responsibilities INCIDENT RESPONSE IR-7 INCIDENT RESPONSE ASSISTANCE "Determine if the organization provides an incident response support resource:" Incident response policy;procedures addressing incident response assistance;incident response plan;security plan;other relevant documents or records Organizational processes for incident response assistance;automated mechanisms supporting and/or implementing incident response assistance Organizational personnel with incident response assistance and support responsibilities;organizational personnel with access to incident response support and assistance capability;organizational personnel with information security responsibilities IR-7[1] "that is integral to the organizational incident response capability; and" IR-7[2] "that offers advice and assistance to users of the information system for the handling and reporting of security incidents." INCIDENT RESPONSE IR-7(1) AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT "Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support." Incident response policy;procedures addressing incident response assistance;automated mechanisms supporting incident response support and assistance;information system design documentation;information system configuration settings and associated documentation;incident response plan;security plan;other relevant documents or records Organizational processes for incident response assistance;automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support Organizational personnel with incident response support and assistance responsibilities;organizational personnel with access to incident response support and assistance capability;organizational personnel with information security responsibilities INCIDENT RESPONSE IR-7(2) COORDINATION WITH EXTERNAL PROVIDERS "Determine if the organization:" Incident response policy;procedures addressing incident response assistance;incident response plan;security plan;other relevant documents or records Organizational personnel with incident response support and assistance responsibilities;external providers of information system protection capability;organizational personnel with information security responsibilities IR-7(2)(a) "establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and" IR-7(2)(b) "identifies organizational incident response team members to the external providers." INCIDENT RESPONSE IR-8 INCIDENT RESPONSE PLAN "Determine if the organization:" Incident response policy;procedures addressing incident response planning;incident response plan;records of incident response plan reviews and approvals;other relevant documents or records Organizational incident response plan and related organizational processes Organizational personnel with incident response planning responsibilities;organizational personnel with information security responsibilities IR-8(a) "develops an incident response plan that:" IR-8(a)(1) "provides the organization with a roadmap for implementing its incident response capability;" IR-8(a)(2) "describes the structure and organization of the incident response capability;" IR-8(a)(3) "provides a high-level approach for how the incident response capability fits into the overall organization;" IR-8(a)(4) "meets the unique requirements of the organization, which relate to:" IR-8(a)(4)[1] "mission;" IR-8(a)(4)[2] "size;" IR-8(a)(4)[3] "structure;" IR-8(a)(4)[4] "functions;" IR-8(a)(5) "defines reportable incidents;" IR-8(a)(6) "provides metrics for measuring the incident response capability within the organization;" IR-8(a)(7) "defines the resources and management support needed to effectively maintain and mature an incident response capability;" IR-8(a)(8) IR-8(a)(8)[1] "defines personnel or roles to review and approve the incident response plan;" IR-8(a)(8)[2] "is reviewed and approved by organization-defined personnel or roles;" IR-8(b) IR-8(b)[1] IR-8(b)[1][a] "defines incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed;" IR-8(b)[1][b] "defines organizational elements to whom copies of the incident response plan are to be distributed;" IR-8(b)[2] "distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements;" IR-8(c) IR-8(c)[1] "defines the frequency to review the incident response plan;" IR-8(c)[2] "reviews the incident response plan with the organization-defined frequency;" IR-8(d) "updates the incident response plan to address system/organizational changes or problems encountered during plan:" IR-8(d)[1] "implementation;" IR-8(d)[2] "execution; or" IR-8(d)[3] "testing;" IR-8(e) IR-8(e)[1] IR-8(e)[1][a] "defines incident response personnel (identified by name and/or by role) to whom incident response plan changes are to be communicated;" IR-8(e)[1][b] "defines organizational elements to whom incident response plan changes are to be communicated;" IR-8(e)[2] "communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements; and" IR-8(f) "protects the incident response plan from unauthorized disclosure and modification." INCIDENT RESPONSE IR-9 INFORMATION SPILLAGE RESPONSE "Determine if the organization: " Incident response policy;procedures addressing information spillage;incident response plan;records of information spillage alerts/notifications, list of personnel who should receive alerts of information spillage;list of actions to be performed regarding information spillage;other relevant documents or records Organizational processes for information spillage response;automated mechanisms supporting and/or implementing information spillage response actions and related communications Organizational personnel with incident response responsibilities;organizational personnel with information security responsibilities IR-9(a) "responds to information spills by identifying the specific information causing the information system contamination;" IR-9(b) IR-9(b)[1] "defines personnel to be alerted of the information spillage;" IR-9(b)[2] "identifies a method of communication not associated with the information spill to use to alert organization-defined personnel of the spill;" IR-9(b)[3] "responds to information spills by alerting organization-defined personnel of the information spill using a method of communication not associated with the spill;" IR-9(c) "responds to information spills by isolating the contaminated information system;" IR-9(d) "responds to information spills by eradicating the information from the contaminated information system;" IR-9(e) "responds to information spills by identifying other information systems that may have been subsequently contaminated;" IR-9(f) IR-9(f)[1] "defines other actions to be performed in response to information spills; and" IR-9(f)[2] "responds to information spills by performing other organization-defined actions." INCIDENT RESPONSE IR-9(1) RESPONSIBLE PERSONNEL "Determine if the organization:" Incident response policy;procedures addressing information spillage;incident response plan;list of personnel responsible for responding to information spillage;other relevant documents or records Organizational personnel with incident response responsibilities;organizational personnel with information security responsibilities IR-9(1)[1] "defines personnel with responsibility for responding to information spills; and" IR-9(1)[2] "assigns organization-defined personnel with responsibility for responding to information spills." INCIDENT RESPONSE IR-9(2) TRAINING "Determine if the organization: " Incident response policy;procedures addressing information spillage response training;information spillage response training curriculum;information spillage response training materials;incident response plan;information spillage response training records;other relevant documents or records Organizational personnel with incident response training responsibilities;organizational personnel with information security responsibilities IR-9(2)[1] "defines the frequency to provide information spillage response training; and" IR-9(2)[2] "provides information spillage response training with the organization-defined frequency." INCIDENT RESPONSE IR-9(3) POST-SPILL OPERATIONS "Determine if the organization: " Incident response policy;procedures addressing incident handling;procedures addressing information spillage;incident response plan;other relevant documents or records Organizational processes for post-spill operations Organizational personnel with incident response responsibilities;organizational personnel with information security responsibilities IR-9(3)[1] "defines procedures that ensure organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions; and" IR-9(3)[2] "implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions." INCIDENT RESPONSE IR-9(4) EXPOSURE TO UNAUTHORIZED PERSONNEL "Determine if the organization: " Incident response policy;procedures addressing incident handling;procedures addressing information spillage;incident response plan;security safeguards regarding information spillage/exposure to unauthorized personnel;other relevant documents or records Organizational processes for dealing with information exposed to unauthorized personnel;automated mechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations Organizational personnel with incident response responsibilities;organizational personnel with information security responsibilities IR-9(4)[1] "defines security safeguards to be employed for personnel exposed to information not within assigned access authorizations; and" IR-9(4)[2] "employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations." INCIDENT RESPONSE IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM "Determine if the organization establishes an integrated team of forensic/malicious code analyst, tool developers, and real-time operations personnel." Incident response policy;procedures addressing incident response planning and security analysis team integration;incident response plan;other relevant documents or records Organizational personnel with incident response and information security analysis responsibilities;organizational personnel with information security responsibilities;organizational personnel participating on integrated security analysis teams MAINTENANCE MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES "Determine if the organization:" Maintenance policy and procedures;other relevant documents or records Organizational personnel with maintenance responsibilities;organizational personnel with information security responsibilities MA-1(a)(1) MA-1(a)(1)[1] "develops and documents a system maintenance policy that addresses:" MA-1(a)(1)[1][a] "purpose;" MA-1(a)(1)[1][b] "scope;" MA-1(a)(1)[1][c] "roles;" MA-1(a)(1)[1][d] "responsibilities;" MA-1(a)(1)[1][e] "management commitment;" MA-1(a)(1)[1][f] "coordination among organizational entities;" MA-1(a)(1)[1][g] "compliance;" MA-1(a)(1)[2] "defines personnel or roles to whom the system maintenance policy is to be disseminated;" MA-1(a)(1)[3] "disseminates the system maintenance policy to organization-defined personnel or roles;" MA-1(a)(2) MA-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;" MA-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" MA-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" MA-1(b)(1) MA-1(b)(1)[1] "defines the frequency to review and update the current system maintenance policy;" MA-1(b)(1)[2] "reviews and updates the current system maintenance policy with the organization-defined frequency;" MA-1(b)(2) MA-1(b)(2)[1] "defines the frequency to review and update the current system maintenance procedures; and" MA-1(b)(2)[2] "reviews and updates the current system maintenance procedures with the organization-defined frequency." MAINTENANCE MA-2 CONTROLLED MAINTENANCE "Determine if the organization:" Information system maintenance policy;procedures addressing controlled information system maintenance;maintenance records;manufacturer/vendor maintenance specifications;equipment sanitization records;media sanitization records;other relevant documents or records Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system;organizational processes for sanitizing information system components;automated mechanisms supporting and/or implementing controlled maintenance;automated mechanisms implementing sanitization of information system components Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities;organizational personnel responsible for media sanitization;system/network administrators MA-2(a) MA-2(a)[1] "schedules maintenance and repairs on information system components in accordance with:" MA-2(a)[1][a] "manufacturer or vendor specifications; and/or" MA-2(a)[1][b] "organizational requirements;" MA-2(a)[2] "performs maintenance and repairs on information system components in accordance with:" MA-2(a)[2][a] "manufacturer or vendor specifications; and/or" MA-2(a)[2][b] "organizational requirements;" MA-2(a)[3] "documents maintenance and repairs on information system components in accordance with:" MA-2(a)[3][a] "manufacturer or vendor specifications; and/or" MA-2(a)[3][b] "organizational requirements;" MA-2(a)[4] "reviews records of maintenance and repairs on information system components in accordance with:" MA-2(a)[4][a] "manufacturer or vendor specifications; and/or" MA-2(a)[4][b] "organizational requirements;" MA-2(b) MA-2(b)[1] "approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;" MA-2(b)[2] "monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;" MA-2(c) MA-2(c)[1] "defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;" MA-2(c)[2] "requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;" MA-2(d) "sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;" MA-2(e) "checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;" MA-2(f) MA-2(f)[1] "defines maintenance-related information to be included in organizational maintenance records; and" MA-2(f)[2] "includes organization-defined maintenance-related information in organizational maintenance records." MAINTENANCE MA-2(1) RECORD CONTENT "[Withdrawn: Incorporated into MA-2]." MAINTENANCE MA-2(2) AUTOMATED MAINTENANCE ACTIVITIES "Determine if the organization: " Information system maintenance policy;procedures addressing controlled information system maintenance;automated mechanisms supporting information system maintenance activities;information system configuration settings and associated documentation;maintenance records;other relevant documents or records Automated mechanisms supporting and/or implementing controlled maintenance;automated mechanisms supporting and/or implementing production of records of maintenance and repair actions Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities;system/network administrators MA-2(2)(a) "employs automated mechanisms to:" MA-2(2)(a)[1] "schedule maintenance and repairs;" MA-2(2)(a)[2] "conduct maintenance and repairs;" MA-2(2)(a)[3] "document maintenance and repairs;" MA-2(2)(b) "produces up-to-date, accurate, and complete records of all maintenance and repair actions:" MA-2(2)(b)[1] "requested;" MA-2(2)(b)[2] "scheduled;" MA-2(2)(b)[3] "in process; and" MA-2(2)(b)[4] "completed." MAINTENANCE MA-3 MAINTENANCE TOOLS "Determine if the organization: " Information system maintenance policy;procedures addressing information system maintenance tools;information system maintenance tools and associated documentation;maintenance records;other relevant documents or records Organizational processes for approving, controlling, and monitoring maintenance tools;automated mechanisms supporting and/or implementing approval, control, and/or monitoring of maintenance tools Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities MA-3[1] "approves information system maintenance tools;" MA-3[2] "controls information system maintenance tools; and" MA-3[3] "monitors information system maintenance tools." MAINTENANCE MA-3(1) INSPECT TOOLS "Determine if the organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. " Information system maintenance policy;procedures addressing information system maintenance tools;information system maintenance tools and associated documentation;maintenance tool inspection records;maintenance records;other relevant documents or records Organizational processes for inspecting maintenance tools;automated mechanisms supporting and/or implementing inspection of maintenance tools Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities MAINTENANCE MA-3(2) INSPECT MEDIA "Determine if the organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. " Information system maintenance policy;procedures addressing information system maintenance tools;information system maintenance tools and associated documentation;maintenance records;other relevant documents or records Organizational process for inspecting media for malicious code;automated mechanisms supporting and/or implementing inspection of media used for maintenance Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities MAINTENANCE MA-3(3) PREVENT UNAUTHORIZED REMOVAL "Determine if the organization prevents the unauthorized removal of maintenance equipment containing organizational information by: " Information system maintenance policy;procedures addressing information system maintenance tools;information system maintenance tools and associated documentation;maintenance records;equipment sanitization records;media sanitization records;exemptions for equipment removal;other relevant documents or records Organizational process for preventing unauthorized removal of information;automated mechanisms supporting media sanitization or destruction of equipment;automated mechanisms supporting verification of media sanitization Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities;organizational personnel responsible for media sanitization MA-3(3)(a) "verifying that there is no organizational information contained on the equipment;" MA-3(3)(b) "sanitizing or destroying the equipment;" MA-3(3)(c) "retaining the equipment within the facility; or" MA-3(3)(d) MA-3(3)(d)[1] "defining personnel or roles that can grant an exemption from explicitly authorizing removal of the equipment from the facility; and" MA-3(3)(d)[2] "obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility." MAINTENANCE MA-3(4) RESTRICTED TOOL USE "Determine if the organization restricts the use of maintenance tools to authorized personnel only. " Information system maintenance policy;procedures addressing information system maintenance tools;information system maintenance tools and associated documentation;list of personnel authorized to use maintenance tools;maintenance tool usage records;maintenance records;other relevant documents or records Organizational process for restricting use of maintenance tools;automated mechanisms supporting and/or implementing restricted use of maintenance tools Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities MAINTENANCE MA-4 NONLOCAL MAINTENANCE "Determine if the organization: " Information system maintenance policy;procedures addressing nonlocal information system maintenance;security plan;information system design documentation;information system configuration settings and associated documentation;maintenance records;diagnostic records;other relevant documents or records Organizational processes for managing nonlocal maintenance;automated mechanisms implementing, supporting, and/or managing nonlocal maintenance;automated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions;automated mechanisms for terminating nonlocal maintenance sessions and network connections Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities;system/network administrators MA-4(a) MA-4(a)[1] "approves nonlocal maintenance and diagnostic activities;" MA-4(a)[2] "monitors nonlocal maintenance and diagnostic activities;" MA-4(b) "allows the use of nonlocal maintenance and diagnostic tools only:" MA-4(b)[1] "as consistent with organizational policy;" MA-4(b)[2] "as documented in the security plan for the information system;" MA-4(c) "employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;" MA-4(d) "maintains records for nonlocal maintenance and diagnostic activities;" MA-4(e) MA-4(e)[1] "terminates sessions when nonlocal maintenance or diagnostics is completed; and" MA-4(e)[2] "terminates network connections when nonlocal maintenance or diagnostics is completed." MAINTENANCE MA-4(1) AUDITING AND REVIEW "Determine if the organization: " Information system maintenance policy;procedures addressing nonlocal information system maintenance;list of audit events;information system configuration settings and associated documentation;maintenance records;diagnostic records;audit records;reviews of maintenance and diagnostic session records;other relevant documents or records Organizational processes for audit and review of nonlocal maintenance;automated mechanisms supporting and/or implementing audit and review of nonlocal maintenance Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities;organizational personnel with audit and review responsibilities;system/network administrators MA-4(1)(a) MA-4(1)(a)[1] "defines audit events to audit nonlocal maintenance and diagnostic sessions;" MA-4(1)(a)[2] "audits organization-defined audit events for non-local maintenance and diagnostic sessions; and" MA-4(1)(b) "reviews records of the maintenance and diagnostic sessions." MAINTENANCE MA-4(2) DOCUMENT NONLOCAL MAINTENANCE "Determine if the organization documents in the security plan for the information system: " Information system maintenance policy;procedures addressing non-local information system maintenance;security plan;maintenance records;diagnostic records;audit records;other relevant documents or records Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities MA-4(2)[1] "the policies for the establishment and use of nonlocal maintenance and diagnostic connections; and" MA-4(2)[2] "the procedures for the establishment and use of nonlocal maintenance and diagnostic connections." MAINTENANCE MA-4(3) COMPARABLE SECURITY / SANITIZATION "Determine if the organization: " Information system maintenance policy;procedures addressing nonlocal information system maintenance;service provider contracts and/or service-level agreements;maintenance records;inspection records;audit records;equipment sanitization records;media sanitization records;other relevant documents or records Organizational processes for comparable security and sanitization for nonlocal maintenance;organizational processes for removal, sanitization, and inspection of components serviced via nonlocal maintenance;automated mechanisms supporting and/or implementing component sanitization and inspection Organizational personnel with information system maintenance responsibilities;information system maintenance provider;organizational personnel with information security responsibilities;organizational personnel responsible for media sanitization;system/network administrators MA-4(3)(a) "requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or" MA-4(3)(b) MA-4(3)(b)[1] "removes the component to be serviced from the information system;" MA-4(3)(b)[2] "sanitizes the component (with regard to organizational information) prior to nonlocal maintenance or diagnostic services and/or before removal from organizational facilities; and" MA-4(3)(b)[3] "inspects and sanitizes the component (with regard to potentially malicious software) after service is performed on the component and before reconnecting the component to the information system." MAINTENANCE MA-4(4) AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS "Determine if the organization protects nonlocal maintenance sessions by: " Information system maintenance policy;procedures addressing nonlocal information system maintenance;information system design documentation;information system configuration settings and associated documentation;maintenance records;audit records;other relevant documents or records Organizational processes for protecting nonlocal maintenance sessions;automated mechanisms implementing replay resistant authenticators;automated mechanisms implementing logically separated/encrypted communications paths Organizational personnel with information system maintenance responsibilities;network engineers;organizational personnel with information security responsibilities;system/network administrators MA-4(4)(a) MA-4(4)(a)[1] "defining replay resistant authenticators to be employed to protect nonlocal maintenance sessions;" MA-4(4)(a)[2] "employing organization-defined authenticators that are replay resistant;" MA-4(4)(b) "separating the maintenance sessions from other network sessions with the information system by either:" MA-4(4)(b)(1) "physically separated communications paths; or" MA-4(4)(b)(2) "logically separated communications paths based upon encryption." MAINTENANCE MA-4(5) APPROVALS AND NOTIFICATIONS "Determine if the organization: " Information system maintenance policy;procedures addressing non-local information system maintenance;security plan;notifications supporting nonlocal maintenance sessions;maintenance records;audit records;other relevant documents or records Organizational processes for approving and notifying personnel regarding nonlocal maintenance;automated mechanisms supporting notification and approval of nonlocal maintenance Organizational personnel with information system maintenance responsibilities;organizational personnel with notification responsibilities;organizational personnel with approval responsibilities;organizational personnel with information security responsibilities MA-4(5)(a) MA-4(5)(a)[1] "defines personnel or roles required to approve each nonlocal maintenance session;" MA-4(5)(a)[2] "requires the approval of each nonlocal maintenance session by organization-defined personnel or roles;" MA-4(5)(b) MA-4(5)(b)[1] "defines personnel or roles to be notified of the date and time of planned nonlocal maintenance; and" MA-4(5)(b)[2] "notifies organization-defined personnel roles of the date and time of planned nonlocal maintenance." MAINTENANCE MA-4(6) CRYPTOGRAPHIC PROTECTION "Determine if the information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications. " Information system maintenance policy;procedures addressing non-local information system maintenance;information system design documentation;information system configuration settings and associated documentation;cryptographic mechanisms protecting nonlocal maintenance activities;maintenance records;diagnostic records;audit records;other relevant documents or records Cryptographic mechanisms protecting nonlocal maintenance and diagnostic communications Organizational personnel with information system maintenance responsibilities;network engineers;organizational personnel with information security responsibilities;system/network administrators MAINTENANCE MA-4(7) REMOTE DISCONNECT VERIFICATION "Determine if the information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions. " Information system maintenance policy;procedures addressing non-local information system maintenance;information system design documentation;information system configuration settings and associated documentation;cryptographic mechanisms protecting nonlocal maintenance activities;maintenance records;diagnostic records;audit records;other relevant documents or records Automated mechanisms implementing remote disconnect verifications of terminated nonlocal maintenance and diagnostic sessions Organizational personnel with information system maintenance responsibilities;network engineers;organizational personnel with information security responsibilities;system/network administrators MAINTENANCE MA-5 MAINTENANCE PERSONNEL "Determine if the organization: " Information system maintenance policy;procedures addressing maintenance personnel;service provider contracts;service-level agreements;list of authorized personnel;maintenance records;access control records;other relevant documents or records Organizational processes for authorizing and managing maintenance personnel;automated mechanisms supporting and/or implementing authorization of maintenance personnel Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities MA-5(a) MA-5(a)[1] "establishes a process for maintenance personnel authorization;" MA-5(a)[2] "maintains a list of authorized maintenance organizations or personnel;" MA-5(b) "ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and" MA-5(c) "designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations." MAINTENANCE MA-5(1) INDIVIDUALS WITHOUT APPROPRIATE ACCESS "Determine if the organization: " Information system maintenance policy;procedures addressing maintenance personnel;information system media protection policy;physical and environmental protection policy;security plan;list of maintenance personnel requiring escort/supervision;maintenance records;access control records;other relevant documents or records Organizational processes for managing maintenance personnel without appropriate access;automated mechanisms supporting and/or implementing alternative security safeguards;automated mechanisms supporting and/or implementing information storage component sanitization Organizational personnel with information system maintenance responsibilities;organizational personnel with personnel security responsibilities;organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities;organizational personnel responsible for media sanitization;system/network administrators MA-5(1)(a) "implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:" MA-5(1)(a)(1) "maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who:" MA-5(1)(a)(1)[1] "are fully cleared;" MA-5(1)(a)(1)[2] "have appropriate access authorizations;" MA-5(1)(a)(1)[3] "are technically qualified;" MA-5(1)(a)(2) "prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances, or formal access approvals:" MA-5(1)(a)(2)[1] "all volatile information storage components within the information system are sanitized; and" MA-5(1)(a)(2)[2] "all nonvolatile storage media are removed; or" MA-5(1)(a)(2)[3] "all nonvolatile storage media are physically disconnected from the system and secured; and" MA-5(1)(b) "develops and implements alternative security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system." MAINTENANCE MA-5(2) SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS "Determine if the organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess: " Information system maintenance policy;procedures addressing maintenance personnel;personnel records;maintenance records;access control records;access credentials;access authorizations;other relevant documents or records Organizational processes for managing security clearances for maintenance personnel Organizational personnel with information system maintenance responsibilities;organizational personnel with personnel security responsibilities;organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities MA-5(2)[1] "security clearances for at least the highest classification level on the system;" MA-5(2)[2] "security clearances for all compartments of information on the system;" MA-5(2)[3] "formal access approvals for at least the highest classification level on the system; and" MA-5(2)[4] "formal access approvals for all compartments of information on the system." MAINTENANCE MA-5(3) CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS "Determine if the organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. " Information system maintenance policy;procedures addressing maintenance personnel;personnel records;maintenance records;access control records;access credentials;access authorizations;other relevant documents or records Organizational personnel with information system maintenance responsibilities;organizational personnel with personnel security responsibilities;organizational personnel with information security responsibilities MAINTENANCE MA-5(4) FOREIGN NATIONALS "Determine if the organization ensures that: " Information system maintenance policy;procedures addressing maintenance personnel;information system media protection policy;access control policy and procedures;physical and environmental protection policy and procedures;memorandum of agreement;maintenance records;access control records;access credentials;access authorizations;other relevant documents or records Organizational processes for managing foreign national maintenance personnel Organizational personnel with information system maintenance responsibilities, organizational personnel with personnel security responsibilities;organizational personnel managing memoranda of agreements;organizational personnel with information security responsibilities MA-5(4)(a) "cleared foreign nationals (i.e., foreign nationals with appropriate security clearances) are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are:" MA-5(4)(a)[1] "jointly owned and operated by the United States and foreign allied governments; or" MA-5(4)(a)[2] "owned and operated solely by foreign allied governments; and" MA-5(4)(b) "approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements." MAINTENANCE MA-5(5) NONSYSTEM-RELATED MAINTENANCE "Determine if the organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations." Information system maintenance policy;procedures addressing maintenance personnel;information system media protection policy;access control policy and procedures;physical and environmental protection policy and procedures;maintenance records;access control records;access authorizations;other relevant documents or records Organizational personnel with information system maintenance responsibilities;organizational personnel with personnel security responsibilities;organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities MAINTENANCE MA-6 TIMELY MAINTENANCE "Determine if the organization: " Information system maintenance policy;procedures addressing information system maintenance;service provider contracts;service-level agreements;inventory and availability of spare parts;security plan;other relevant documents or records Organizational processes for ensuring timely maintenance Organizational personnel with information system maintenance responsibilities;organizational personnel with acquisition responsibilities;organizational personnel with information security responsibilities;system/network administrators MA-6[1] "defines information system components for which maintenance support and/or spare parts are to be obtained;" MA-6[2] "defines the time period within which maintenance support and/or spare parts are to be obtained after a failure;" MA-6[3] MA-6[3][a] "obtains maintenance support for organization-defined information system components within the organization-defined time period of failure; and/or" MA-6[3][b] "obtains spare parts for organization-defined information system components within the organization-defined time period of failure." MAINTENANCE MA-6(1) PREVENTIVE MAINTENANCE "Determine if the organization: " Information system maintenance policy;procedures addressing information system maintenance;service provider contracts;service-level agreements;security plan;maintenance records;list of system components requiring preventive maintenance;other relevant documents or records Organizational processes for preventive maintenance;automated mechanisms supporting and/or implementing preventive maintenance Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities;system/network administrators MA-6(1)[1] "defines information system components on which preventive maintenance is to be performed;" MA-6(1)[2] "defines time intervals within which preventive maintenance is to be performed on organization-defined information system components; and" MA-6(1)[3] "performs preventive maintenance on organization-defined information system components at organization-defined time intervals." MAINTENANCE MA-6(2) PREDICTIVE MAINTENANCE "Determine if the organization: " Information system maintenance policy;procedures addressing information system maintenance;service provider contracts;service-level agreements;security plan;maintenance records;list of system components requiring predictive maintenance;other relevant documents or records Organizational processes for predictive maintenance;automated mechanisms supporting and/or implementing predictive maintenance Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities;system/network administrators MA-6(2)[1] "defines information system components on which predictive maintenance is to be performed;" MA-6(2)[2] "defines time intervals within which predictive maintenance is to be performed on organization-defined information system components; and" MA-6(2)[3] "performs predictive maintenance on organization-defined information system components at organization-defined time intervals." MAINTENANCE MA-6(3) AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE "Determine if the organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system." Information system maintenance policy;procedures addressing information system maintenance;service provider contracts;service-level agreements;security plan;maintenance records;list of system components requiring predictive maintenance;other relevant documents or records Automated mechanisms implementing the transfer of predictive maintenance data to a computerized maintenance management system;operations of the computer maintenance management system Organizational personnel with information system maintenance responsibilities;organizational personnel with information security responsibilities;system/network administrators MEDIA PROTECTION MP-1 MEDIA PROTECTION POLICY AND PROCEDURES "Determine if the organization:" Media protection policy and procedures;other relevant documents or records Organizational personnel with media protection responsibilities;organizational personnel with information security responsibilities MP-1(a)(1) MP-1(a)(1)[1] "develops and documents a media protection policy that addresses:" MP-1(a)(1)[1][a] "purpose;" MP-1(a)(1)[1][b] "scope;" MP-1(a)(1)[1][c] "roles;" MP-1(a)(1)[1][d] "responsibilities;" MP-1(a)(1)[1][e] "management commitment;" MP-1(a)(1)[1][f] "coordination among organizational entities;" MP-1(a)(1)[1][g] "compliance;" MP-1(a)(1)[2] "defines personnel or roles to whom the media protection policy is to be disseminated;" MP-1(a)(1)[3] "disseminates the media protection policy to organization-defined personnel or roles;" MP-1(a)(2) MP-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;" MP-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" MP-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" MP-1(b)(1) MP-1(b)(1)[1] "defines the frequency to review and update the current media protection policy;" MP-1(b)(1)[2] "reviews and updates the current media protection policy with the organization-defined frequency;" MP-1(b)(2) MP-1(b)(2)[1] "defines the frequency to review and update the current media protection procedures; and" MP-1(b)(2)[2] "reviews and updates the current media protection procedures with the organization-defined frequency." MEDIA PROTECTION MP-2 MEDIA ACCESS "Determine if the organization: " Information system media protection policy;procedures addressing media access restrictions;access control policy and procedures;physical and environmental protection policy and procedures;media storage facilities;access control records;other relevant documents or records Organizational processes for restricting information media;automated mechanisms supporting and/or implementing media access restrictions Organizational personnel with information system media protection responsibilities;organizational personnel with information security responsibilities;system/network administrators MP-2[1] "defines types of digital and/or non-digital media requiring restricted access;" MP-2[2] "defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media; and" MP-2[3] "restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles." MEDIA PROTECTION MP-2(1) AUTOMATED RESTRICTED ACCESS "[Withdrawn: Incorporated into MP-4(2)]." MEDIA PROTECTION MP-2(2) CRYPTOGRAPHIC PROTECTION "[Withdrawn: Incorporated into SC-28(1)]." MEDIA PROTECTION MP-3 MEDIA MARKING "Determine if the organization: " Information system media protection policy;procedures addressing media marking;physical and environmental protection policy and procedures;security plan;list of information system media marking security attributes;designated controlled areas;other relevant documents or records Organizational processes for marking information media;automated mechanisms supporting and/or implementing media marking Organizational personnel with information system media protection and marking responsibilities;organizational personnel with information security responsibilities MP-3(a) "marks information system media indicating the:" MP-3(a)[1] "distribution limitations of the information;" MP-3(a)[2] "handling caveats of the information;" MP-3(a)[3] "applicable security markings (if any) of the information;" MP-3(b) MP-3(b)[1] "defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;" MP-3(b)[2] "defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; and" MP-3(b)[3] "exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas." MEDIA PROTECTION MP-4 MEDIA STORAGE "Determine if the organization: " Information system media protection policy;procedures addressing media storage;physical and environmental protection policy and procedures;access control policy and procedures;security plan;information system media;designated controlled areas;other relevant documents or records Organizational processes for storing information media;automated mechanisms supporting and/or implementing secure media storage/media protection Organizational personnel with information system media protection and storage responsibilities;organizational personnel with information security responsibilities MP-4(a) MP-4(a)[1] "defines types of digital and/or non-digital media to be physically controlled and securely stored within designated controlled areas;" MP-4(a)[2] "defines controlled areas designated to physically control and securely store organization-defined types of digital and/or non-digital media;" MP-4(a)[3] "physically controls organization-defined types of digital and/or non-digital media within organization-defined controlled areas;" MP-4(a)[4] "securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas; and" MP-4(b) "protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures." MEDIA PROTECTION MP-4(1) CRYPTOGRAPHIC PROTECTION "[Withdrawn: Incorporated into SC-28(1)]." MEDIA PROTECTION MP-4(2) AUTOMATED RESTRICTED ACCESS "Determine if the organization employs automated mechanisms to: " Information system media protection policy;procedures addressing media storage;access control policy and procedures;physical and environmental protection policy and procedures;information system design documentation;information system configuration settings and associated documentation;media storage facilities;access control devices;access control records;audit records;other relevant documents or records Automated mechanisms restricting access to media storage areas;automated mechanisms auditing access attempts and access granted to media storage areas Organizational personnel with information system media protection and storage responsibilities;organizational personnel with information security responsibilities;system/network administrators MP-4(2)[1] "restrict access to media storage areas;" MP-4(2)[2] "audit access attempts; and" MP-4(2)[3] "audit access granted." MEDIA PROTECTION MP-5 MEDIA TRANSPORT "Determine if the organization: " Information system media protection policy;procedures addressing media storage;physical and environmental protection policy and procedures;access control policy and procedures;security plan;information system media;designated controlled areas;other relevant documents or records Organizational processes for storing information media;automated mechanisms supporting and/or implementing media storage/media protection Organizational personnel with information system media protection and storage responsibilities;organizational personnel with information security responsibilities;system/network administrators MP-5(a) MP-5(a)[1] "defines types of information system media to be protected and controlled during transport outside of controlled areas;" MP-5(a)[2] "defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas;" MP-5(a)[3] "protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security safeguards;" MP-5(b) "maintains accountability for information system media during transport outside of controlled areas;" MP-5(c) "documents activities associated with the transport of information system media; and" MP-5(d) "restricts the activities associated with transport of information system media to authorized personnel." MEDIA PROTECTION MP-5(1) PROTECTION OUTSIDE OF CONTROLLED AREAS "[Withdrawn: Incorporated into MP-5]." MEDIA PROTECTION MP-5(2) DOCUMENTATION OF ACTIVITIES "[Withdrawn: Incorporated into MP-5]." MEDIA PROTECTION MP-5(3) CUSTODIANS "Determine if the organization employs an identified custodian during transport of information system media outside of controlled areas. " Information system media protection policy;procedures addressing media transport;physical and environmental protection policy and procedures;information system media transport records;audit records;other relevant documents or records Organizational personnel with information system media transport responsibilities;organizational personnel with information security responsibilities MEDIA PROTECTION MP-5(4) CRYPTOGRAPHIC PROTECTION "Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. " Information system media protection policy;procedures addressing media transport;information system design documentation;information system configuration settings and associated documentation;information system media transport records;audit records;other relevant documents or records Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas Organizational personnel with information system media transport responsibilities;organizational personnel with information security responsibilities MEDIA PROTECTION MP-6 MEDIA SANITIZATION "Determine if the organization: " Information system media protection policy;procedures addressing media sanitization and disposal;applicable federal standards and policies addressing media sanitization;media sanitization records;audit records;information system design documentation;information system configuration settings and associated documentation;other relevant documents or records Organizational processes for media sanitization;automated mechanisms supporting and/or implementing media sanitization Organizational personnel with media sanitization responsibilities;organizational personnel with information security responsibilities;system/network administrators MP-6(a) MP-6(a)[1] "defines information system media to be sanitized prior to:" MP-6(a)[1][a] "disposal;" MP-6(a)[1][b] "release out of organizational control; or" MP-6(a)[1][c] "release for reuse;" MP-6(a)[2] "defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:" MP-6(a)[2][a] "disposal;" MP-6(a)[2][b] "release out of organizational control; or" MP-6(a)[2][c] "release for reuse;" MP-6(a)[3] "sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and" MP-6(b) "employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information." MEDIA PROTECTION MP-6(1) REVIEW / APPROVE / TRACK / DOCUMENT / VERIFY "Determine if the organization: " Information system media protection policy;procedures addressing media sanitization and disposal;media sanitization and disposal records;review records for media sanitization and disposal actions;approvals for media sanitization and disposal actions;tracking records;verification records;audit records;other relevant documents or records Organizational processes for media sanitization;automated mechanisms supporting and/or implementing media sanitization Organizational personnel with information system media sanitization and disposal responsibilities;organizational personnel with information security responsibilities;system/network administrators MP-6(1)[1] "reviews media sanitization and disposal actions;" MP-6(1)[2] "approves media sanitization and disposal actions;" MP-6(1)[3] "tracks media sanitization and disposal actions;" MP-6(1)[4] "documents media sanitization and disposal actions; and" MP-6(1)[5] "verifies media sanitization and disposal actions." MEDIA PROTECTION MP-6(2) EQUIPMENT TESTING "Determine if the organization: " Information system media protection policy;procedures addressing media sanitization and disposal;procedures addressing testing of media sanitization equipment;results of media sanitization equipment and procedures testing;audit records;other relevant documents or records Organizational processes for media sanitization;automated mechanisms supporting and/or implementing media sanitization Organizational personnel with information system media sanitization responsibilities;organizational personnel with information security responsibilities MP-6(2)[1] "defines the frequency for testing sanitization equipment and procedures to verify that the intended sanitization is being achieved; and" MP-6(2)[2] "tests sanitization equipment and procedures with the organization-defined frequency to verify that the intended sanitization is being achieved." MEDIA PROTECTION MP-6(3) NONDESTRUCTIVE TECHNIQUES "Determine if the organization: " Information system media protection policy;procedures addressing media sanitization and disposal;list of circumstances requiring sanitization of portable storage devices;media sanitization records;audit records;other relevant documents or records Organizational processes for media sanitization of portable storage devices;automated mechanisms supporting and/or implementing media sanitization Organizational personnel with information system media sanitization responsibilities;organizational personnel with information security responsibilities MP-6(3)[1] "defines circumstances requiring sanitization of portable storage devices; and" MP-6(3)[2] "applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under organization-defined circumstances requiring sanitization of portable storage devices." MEDIA PROTECTION MP-6(4) CONTROLLED UNCLASSIFIED INFORMATION "[Withdrawn: Incorporated into MP-6]." MEDIA PROTECTION MP-6(5) CLASSIFIED INFORMATION "[Withdrawn: Incorporated into MP-6]." MEDIA PROTECTION MP-6(6) MEDIA DESTRUCTION "[Withdrawn: Incorporated into MP-6]." MEDIA PROTECTION MP-6(7) DUAL AUTHORIZATION "Determine if the organization: " Information system media protection policy;procedures addressing media sanitization and disposal;list of information system media requiring dual authorization for sanitization;authorization records;media sanitization records;audit records;other relevant documents or records Organizational processes requiring dual authorization for media sanitization;automated mechanisms supporting and/or implementing media sanitization;automated mechanisms supporting and/or implementing dual authorization Organizational personnel with information system media sanitization responsibilities;organizational personnel with information security responsibilities;system/network administrators MP-6(7)[1] "defines information system media requiring dual authorization to be enforced for sanitization of such media; and" MP-6(7)[2] "enforces dual authorization for the sanitization of organization-defined information system media." MEDIA PROTECTION MP-6(8) REMOTE PURGING / WIPING OF INFORMATION "Determine if the organization: " Information system media protection policy;procedures addressing media sanitization and disposal;information system design documentation;information system configuration settings and associated documentation;media sanitization records;audit records;other relevant documents or records Organizational processes for purging/wiping media;automated mechanisms supporting and/or implementing purge/wipe capabilities Organizational personnel with information system media sanitization responsibilities;organizational personnel with information security responsibilities;system/network administrators MP-6(8)[1] "defines information systems, system components, or devices to purge/wipe either remotely or under specific organizational conditions;" MP-6(8)[2] "defines conditions under which information is to be purged/wiped from organization-defined information systems, system components, or devices; and" MP-6(8)[3] "provides the capability to purge/wipe information from organization-defined information systems, system components, or devices either:" MP-6(8)[3][a] "remotely; or" MP-6(8)[3][b] "under organization-defined conditions." MEDIA PROTECTION MP-7 MEDIA USE "Determine if the organization: " Information system media protection policy;system use policy;procedures addressing media usage restrictions;security plan;rules of behavior;information system design documentation;information system configuration settings and associated documentation;audit records;other relevant documents or records Organizational processes for media use;automated mechanisms restricting or prohibiting use of information system media on information systems or system components Organizational personnel with information system media use responsibilities;organizational personnel with information security responsibilities;system/network administrators MP-7[1] "defines types of information system media to be:" MP-7[1][a] "restricted on information systems or system components; or" MP-7[1][b] "prohibited from use on information systems or system components;" MP-7[2] "defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:" MP-7[2][a] "restricted; or" MP-7[2][b] "prohibited;" MP-7[3] "defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and" MP-7[4] "restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards." MEDIA PROTECTION MP-7(1) PROHIBIT USE WITHOUT OWNER "Determine if the organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. " Information system media protection policy;system use policy;procedures addressing media usage restrictions;security plan;rules of behavior;information system design documentation;information system configuration settings and associated documentation;audit records;other relevant documents or records Organizational processes for media use;automated mechanisms prohibiting use of media on information systems or system components Organizational personnel with information system media use responsibilities;organizational personnel with information security responsibilities;system/network administrators MEDIA PROTECTION MP-7(2) PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA "Determine if the organization prohibits the use of sanitization-resistant media in organizational information systems. " Information system media protection policy, system use policy;procedures addressing media usage restrictions;rules of behavior;audit records;other relevant documents or records Organizational processes for media use;automated mechanisms prohibiting use of media on information systems or system components Organizational personnel with information system media use responsibilities;organizational personnel with information security responsibilities;system/network administrators MEDIA PROTECTION MP-8 MEDIA DOWNGRADING "Determine if the organization: " Information system media protection policy;procedures addressing media downgrading;system categorization documentation;list of media requiring downgrading;records of media downgrading;audit records;other relevant documents or records Organizational processes for media downgrading;automated mechanisms supporting and/or implementing media downgrading Organizational personnel with information system media downgrading responsibilities;organizational personnel with information security responsibilities;system/network administrators MP-8(a) MP-8(a)[1] "defines the information system media downgrading process;" MP-8(a)[2] "defines the strength and integrity with which media downgrading mechanisms are to be employed;" MP-8(a)[3] "establishes an organization-defined information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity;" MP-8(b) "ensures that the information system media downgrading process is commensurate with the:" MP-8(b)[1] "security category and/or classification level of the information to be removed;" MP-8(b)[2] "access authorizations of the potential recipients of the downgraded information;" MP-8(c) "identifies/defines information system media requiring downgrading; and" MP-8(d) "downgrades the identified information system media using the established process." MEDIA PROTECTION MP-8(1) DOCUMENTATION OF PROCESS "Determine if the organization documents information system media downgrading actions. " Information system media protection policy;procedures addressing media downgrading;list of media requiring downgrading;records of media downgrading;audit records;other relevant documents or records Organizational processes for media downgrading;automated mechanisms supporting and/or implementing media downgrading Organizational personnel with information system media downgrading responsibilities;organizational personnel with information security responsibilities MEDIA PROTECTION MP-8(2) EQUIPMENT TESTING "Determine if the organization: " Information system media protection policy;procedures addressing media downgrading;procedures addressing testing of media downgrading equipment;results of downgrading equipment and procedures testing;audit records: other relevant documents or records Organizational processes for media downgrading;automated mechanisms supporting and/or implementing media downgrading;automated mechanisms supporting and/or implementing tests for downgrading equipment Organizational personnel with information system media downgrading responsibilities;organizational personnel with information security responsibilities MP-8(2)[1] MP-8(2)[1][a] "defines tests to be employed for downgrading equipment;" MP-8(2)[1][b] "defines procedures to verify correct performance;" MP-8(2)[2] "defines the frequency for employing tests of downgrading equipment and procedures to verify correct performance; and" MP-8(2)[3] "employs organization-defined tests of downgrading equipment and procedures to verify correct performance with the organization-defined frequency." MEDIA PROTECTION MP-8(3) CONTROLLED UNCLASSIFIED INFORMATION "Determine if the organization: " Information system media protection policy;access authorization policy;procedures addressing downgrading of media containing CUI;applicable federal and organizational standards and policies regarding protection of CUI;media downgrading records;other relevant documents or records Organizational processes for media downgrading;automated mechanisms supporting and/or implementing media downgrading Organizational personnel with information system media downgrading responsibilities;organizational personnel with information security responsibilities MP-8(3)[1] "defines Controlled Unclassified Information (CUI) contained on information system media that requires downgrading prior to public release; and" MP-8(3)[2] "downgrades information system media containing organization-defined CUI prior to public release in accordance with applicable federal and organizational standards and policies." MEDIA PROTECTION MP-8(4) CLASSIFIED INFORMATION "Determine if the organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies. " Information system media protection policy;access authorization policy;procedures addressing downgrading of media containing classified information;procedures addressing handling of classified information;NSA standards and policies regarding protection of classified information;media downgrading records;other relevant documents or records Organizational processes for media downgrading;automated mechanisms supporting and/or implementing media downgrading Organizational personnel with information system media downgrading responsibilities;organizational personnel with information security responsibilities PHYSICAL AND ENVIRONMENTAL PROTECTION PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES "Determine if the organization:" Physical and environmental protection policy and procedures;other relevant documents or records Organizational personnel with physical and environmental protection responsibilities;organizational personnel with information security responsibilities PE-1(a)(1) PE-1(a)(1)[1] "develops and documents a physical and environmental protection policy that addresses:" PE-1(a)(1)[1][a] "purpose;" PE-1(a)(1)[1][b] "scope;" PE-1(a)(1)[1][c] "roles;" PE-1(a)(1)[1][d] "responsibilities;" PE-1(a)(1)[1][e] "management commitment;" PE-1(a)(1)[1][f] "coordination among organizational entities;" PE-1(a)(1)[1][g] "compliance;" PE-1(a)(1)[2] "defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;" PE-1(a)(1)[3] "disseminates the physical and environmental protection policy to organization-defined personnel or roles;" PE-1(a)(2) PE-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;" PE-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" PE-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" PE-1(b)(1) PE-1(b)(1)[1] "defines the frequency to review and update the current physical and environmental protection policy;" PE-1(b)(1)[2] "reviews and updates the current physical and environmental protection policy with the organization-defined frequency;" PE-1(b)(2) PE-1(b)(2)[1] "defines the frequency to review and update the current physical and environmental protection procedures; and" PE-1(b)(2)[2] "reviews and updates the current physical and environmental protection procedures with the organization-defined frequency." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-2 PHYSICAL ACCESS AUTHORIZATIONS "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access authorizations;security plan;authorized personnel access list;authorization credentials;physical access list reviews;physical access termination records and associated documentation;other relevant documents or records Organizational processes for physical access authorizations;automated mechanisms supporting and/or implementing physical access authorizations Organizational personnel with physical access authorization responsibilities;organizational personnel with physical access to information system facility;organizational personnel with information security responsibilities PE-2(a) PE-2(a)[1] "develops a list of individuals with authorized access to the facility where the information system resides;" PE-2(a)[2] "approves a list of individuals with authorized access to the facility where the information system resides;" PE-2(a)[3] "maintains a list of individuals with authorized access to the facility where the information system resides;" PE-2(b) "issues authorization credentials for facility access;" PE-2(c) PE-2(c)[1] "defines the frequency to review the access list detailing authorized facility access by individuals;" PE-2(c)[2] "reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and" PE-2(d) "removes individuals from the facility access list when access is no longer required." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-2(1) ACCESS BY POSITION / ROLE "Determine if the organization authorizes physical access to the facility where the information system resides based on position or role. " Physical and environmental protection policy;procedures addressing physical access authorizations;physical access control logs or records;list of positions/roles and corresponding physical access authorizations;information system entry and exit points;other relevant documents or records Organizational processes for physical access authorizations;automated mechanisms supporting and/or implementing physical access authorizations Organizational personnel with physical access authorization responsibilities;organizational personnel with physical access to information system facility;organizational personnel with information security responsibilities PHYSICAL AND ENVIRONMENTAL PROTECTION PE-2(2) TWO FORMS OF IDENTIFICATION "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access authorizations;list of acceptable forms of identification for visitor access to the facility where information system resides;access authorization forms;access credentials;physical access control logs or records;other relevant documents or records Organizational processes for physical access authorizations;automated mechanisms supporting and/or implementing physical access authorizations Organizational personnel with physical access authorization responsibilities;organizational personnel with physical access to information system facility;organizational personnel with information security responsibilities PE-2(2)[1] "defines a list of acceptable forms of identification for visitor access to the facility where the information system resides; and" PE-2(2)[2] "requires two forms of identification from the organization-defined list of acceptable forms of identification for visitor access to the facility where the information system resides." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-2(3) RESTRICT UNESCORTED ACCESS "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access authorizations;authorized personnel access list;security clearances;access authorizations;access credentials;physical access control logs or records;other relevant documents or records Organizational processes for physical access authorizations;automated mechanisms supporting and/or implementing physical access authorizations Organizational personnel with physical access authorization responsibilities;organizational personnel with physical access to information system facility;organizational personnel with information security responsibilities PE-2(3)[1] "defines credentials to be employed to restrict unescorted access to the facility where the information system resides to authorized personnel;" PE-2(3)[2] "restricts unescorted access to the facility where the information system resides to personnel with one or more of the following:" PE-2(3)[2][a] "security clearances for all information contained within the system;" PE-2(3)[2][b] "formal access authorizations for all information contained within the system;" PE-2(3)[2][c] "need for access to all information contained within the system; and/or" PE-2(3)[2][d] "organization-defined credentials." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3 PHYSICAL ACCESS CONTROL "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access control;security plan;physical access control logs or records;inventory records of physical access control devices;information system entry and exit points;records of key and lock combination changes;storage locations for physical access control devices;physical access control devices;list of security safeguards controlling access to designated publicly accessible areas within facility;other relevant documents or records Organizational processes for physical access control;automated mechanisms supporting and/or implementing physical access control;physical access control devices Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities PE-3(a) PE-3(a)[1] "defines entry/exit points to the facility where the information system resides;" PE-3(a)[2] "enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by:" PE-3(a)[2](1) "verifying individual access authorizations before granting access to the facility;" PE-3(a)[2](2) PE-3(a)[2](2)[a] "defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides;" PE-3(a)[2](2)[b] "using one or more of the following ways to control ingress/egress to the facility:" PE-3(a)[2](2)[b][1] "organization-defined physical access control systems/devices; and/or" PE-3(a)[2](2)[b][2] "guards;" PE-3(b) PE-3(b)[1] "defines entry/exit points for which physical access audit logs are to be maintained;" PE-3(b)[2] "maintains physical access audit logs for organization-defined entry/exit points;" PE-3(c) PE-3(c)[1] "defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;" PE-3(c)[2] "provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;" PE-3(d) PE-3(d)[1] "defines circumstances requiring visitor:" PE-3(d)[1][a] "escorts;" PE-3(d)[1][b] "monitoring;" PE-3(d)[2] "in accordance with organization-defined circumstances requiring visitor escorts and monitoring:" PE-3(d)[2][a] "escorts visitors;" PE-3(d)[2][b] "monitors visitor activities;" PE-3(e) PE-3(e)[1] "secures keys;" PE-3(e)[2] "secures combinations;" PE-3(e)[3] "secures other physical access devices;" PE-3(f) PE-3(f)[1] "defines physical access devices to be inventoried;" PE-3(f)[2] "defines the frequency to inventory organization-defined physical access devices;" PE-3(f)[3] "inventories the organization-defined physical access devices with the organization-defined frequency;" PE-3(g) PE-3(g)[1] "defines the frequency to change combinations and keys; and" PE-3(g)[2] "changes combinations and keys with the organization-defined frequency and/or when:" PE-3(g)[2][a] "keys are lost;" PE-3(g)[2][b] "combinations are compromised;" PE-3(g)[2][c] "individuals are transferred or terminated." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3(1) INFORMATION SYSTEM ACCESS "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access control;physical access control logs or records;physical access control devices;access authorizations;access credentials;information system entry and exit points;list of areas within the facility containing concentrations of information system components or information system components requiring additional physical protection;other relevant documents or records Organizational processes for physical access control to the information system/components;automated mechanisms supporting and/or implementing physical access control for facility areas containing information system components Organizational personnel with physical access authorization responsibilities;organizational personnel with information security responsibilities PE-3(1)[1] "defines physical spaces containing one or more components of the information system; and" PE-3(1)[2] "enforces physical access authorizations to the information system in addition to the physical access controls for the facility at organization-defined physical spaces containing one or more components of the information system." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3(2) FACILITY/INFORMATION SYSTEM BOUNDARIES "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access control;physical access control logs or records;records of security checks;security audit reports;security inspection reports;facility layout documentation;information system entry and exit points;other relevant documents or records Organizational processes for physical access control to the facility and/or information system;automated mechanisms supporting and/or implementing physical access control for the facility or information system;automated mechanisms supporting and/or implementing security checks for unauthorized exfiltration of information Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities PE-3(2)[1] "defines the frequency to perform security checks at the physical boundary of the facility or information system for:" PE-3(2)[1][a] "unauthorized exfiltration of information; or" PE-3(2)[1][b] "removal of information system components; and" PE-3(2)[2] "performs security checks with the organization-defined frequency at the physical boundary of the facility or information system for:" PE-3(2)[2][a] "unauthorized exfiltration of information; or" PE-3(2)[2][b] "removal of information system components." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3(3) CONTINUOUS GUARDS / ALARMS / MONITORING "Determine if the organization employs one or more of the following to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week:" Physical and environmental protection policy;procedures addressing physical access control;physical access control logs or records;physical access control devices;facility surveillance records;facility layout documentation;information system entry and exit points;other relevant documents or records Organizational processes for physical access control to the facility where the information system resides;automated mechanisms supporting and/or implementing physical access control for the facility where the information system resides Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities PE-3(3)[1] "guards; and/or" PE-3(3)[2] "alarms." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3(4) LOCKABLE CASINGS "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access control;security plan;list of information system components requiring protection through lockable physical casings;lockable physical casings;other relevant documents or records Lockable physical casings Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities PE-3(4)[1] "defines information system components to be protected from unauthorized physical access using lockable physical casings; and" PE-3(4)[2] "uses lockable physical casings to protect organization-defined information system components from unauthorized physical access." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3(5) TAMPER PROTECTION "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access control;list of security safeguards to detect/prevent physical tampering or alteration of information system hardware components;other relevant documents or records Organizational processes to detect/prevent physical tampering or alteration of information system hardware components;automated mechanisms/security safeguards supporting and/or implementing detection/prevention of physical tampering/alternation of information system hardware components Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities PE-3(5)[1] "defines security safeguards to be employed to detect and/or prevent physical tampering or alteration of organization-defined hardware components within the information system;" PE-3(5)[2] "defines hardware components within the information system for which security safeguards are to be employed to detect and/or prevent physical tampering or alteration of such components;" PE-3(5)[3] "employs organization-defined security safeguards to do one or more of the following:" PE-3(5)[3][a] "detect physical tampering or alteration of organization-defined hardware components within the information system; and/or" PE-3(5)[3][b] "prevent physical tampering or alteration of organization-defined hardware components within the information system." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3(6) FACILITY PENETRATION TESTING "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access control;procedures addressing penetration testing;rules of engagement and associated documentation;penetration test results;security plan;other relevant documents or records Organizational processes for facility penetration testing;automated mechanisms supporting and/or implementing facility penetration testing Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities PE-3(6)[1] "defines the frequency of unannounced attempts to be included in a penetration testing process to bypass or circumvent security controls associated with physical access points to the facility; and" PE-3(6)[2] "employs a penetration testing process with the organization-defined frequency that includes unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM "Determine if the organization: " Physical and environmental protection policy;procedures addressing access control for transmission medium;information system design documentation;facility communications and wiring diagrams;list of physical security safeguards applied to information system distribution and transmission lines;other relevant documents or records Organizational processes for access control to distribution and transmission lines;automated mechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities PE-4[1] "defines information system distribution and transmission lines requiring physical access controls;" PE-4[2] "defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities; and" PE-4[3] "controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-5 ACCESS CONTROL FOR OUTPUT DEVICES "Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. " Physical and environmental protection policy;procedures addressing access control for display medium;facility layout of information system components;actual displays from information system components;other relevant documents or records Organizational processes for access control to output devices;automated mechanisms supporting and/or implementing access control to output devices Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities PHYSICAL AND ENVIRONMENTAL PROTECTION PE-5(1) ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access control;list of output devices and associated outputs requiring physical access controls;physical access control logs or records for areas containing output devices and related outputs;other relevant documents or records Organizational processes for access control to output devices;automated mechanisms supporting and/or implementing access control to output devices Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities PE-5(1)(a) PE-5(1)(a)[1] "defines output devices whose output requires physical access controls;" PE-5(1)(a)[2] "controls physical access to output from organization-defined output devices; and" PE-5(1)(b) "ensures that only authorized individuals receive output from the device." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-5(2) ACCESS TO OUTPUT BY INDIVIDUAL IDENTITY "Determine if: " Physical and environmental protection policy;procedures addressing physical access control;information system design documentation;information system configuration settings and associated documentation;list of output devices and associated outputs requiring physical access controls;physical access control logs or records for areas containing output devices and related outputs;information system audit records;other relevant documents or records Organizational processes for access control to output devices;automated mechanisms supporting and/or implementing access control to output devices Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities;system/network administrators;system developers PE-5(2)(a) PE-5(2)(a)[1] "the organization defines output devices whose output requires physical access controls;" PE-5(2)(a)[2] "the information system controls physical access to output from organization-defined output devices; and" PE-5(2)(b) "the information system links individual identity to receipt of the output from the device." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-5(3) MARKING OUTPUT DEVICES "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access control;security markings for information types permitted as output from information system output devices;other relevant documents or records Organizational processes for marking output devices Organizational personnel with physical access control responsibilities;organizational personnel with information security responsibilities PE-5(3)[1] "defines information system output devices to be marked with appropriate security marking of the information permitted to be output from such devices; and" PE-5(3)[2] "marks organization-defined information system output devices indicating the appropriate security marking of the information permitted to be output from the device." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6 MONITORING PHYSICAL ACCESS "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access monitoring;security plan;physical access logs or records;physical access monitoring records;physical access log reviews;other relevant documents or records Organizational processes for monitoring physical access;automated mechanisms supporting and/or implementing physical access monitoring;automated mechanisms supporting and/or implementing reviewing of physical access logs Organizational personnel with physical access monitoring responsibilities;organizational personnel with incident response responsibilities;organizational personnel with information security responsibilities PE-6(a) "monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;" PE-6(b) PE-6(b)[1] "defines the frequency to review physical access logs;" PE-6(b)[2] "defines events or potential indication of events requiring physical access logs to be reviewed;" PE-6(b)[3] "reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and" PE-6(c) "coordinates results of reviews and investigations with the organizational incident response capability." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6(1) INTRUSION ALARMS / SURVEILLANCE EQUIPMENT "Determine if the organization monitors physical intrusion alarms and surveillance equipment. " Physical and environmental protection policy;procedures addressing physical access monitoring;security plan;physical access logs or records;physical access monitoring records;physical access log reviews;other relevant documents or records Organizational processes for monitoring physical intrusion alarms and surveillance equipment;automated mechanisms supporting and/or implementing physical access monitoring;automated mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment Organizational personnel with physical access monitoring responsibilities;organizational personnel with incident response responsibilities;organizational personnel with information security responsibilities PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6(2) AUTOMATED INTRUSION RECOGNITION / RESPONSES "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access monitoring;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of response actions to be initiated when specific classes/types of intrusions are recognized;other relevant documents or records Organizational processes for monitoring physical access;automated mechanisms supporting and/or implementing physical access monitoring;automated mechanisms supporting and/or implementing recognition of classes/types of intrusions and initiation of a response Organizational personnel with physical access monitoring responsibilities;organizational personnel with information security responsibilities PE-6(2)[1] "defines classes/types of intrusions to be recognized by automated mechanisms;" PE-6(2)[2] "defines response actions to be initiated by automated mechanisms when organization-defined classes/types of intrusions are recognized; and" PE-6(2)[3] "employs automated mechanisms to recognize organization-defined classes/types of intrusions and initiate organization-defined response actions." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6(3) VIDEO SURVEILLANCE "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access monitoring;video surveillance equipment used to monitor operational areas;video recordings of operational areas where video surveillance is employed;video surveillance equipment logs or records;other relevant documents or records Organizational processes for monitoring physical access;automated mechanisms supporting and/or implementing physical access monitoring;automated mechanisms supporting and/or implementing video surveillance Organizational personnel with physical access monitoring responsibilities;organizational personnel with information security responsibilities PE-6(3)[1] "defines operational areas where video surveillance is to be employed;" PE-6(3)[2] "defines a time period to retain video recordings of organization-defined operational areas;" PE-6(3)[3] PE-6(3)[3][a] "employs video surveillance of organization-defined operational areas; and" PE-6(3)[3][b] "retains video recordings for the organization-defined time period." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6(4) MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS "Determine if the organization: " Physical and environmental protection policy;procedures addressing physical access monitoring;physical access control logs or records;physical access control devices;access authorizations;access credentials;list of areas within the facility containing concentrations of information system components or information system components requiring additional physical access monitoring;other relevant documents or records Organizational processes for monitoring physical access to the information system;automated mechanisms supporting and/or implementing physical access monitoring for facility areas containing information system components Organizational personnel with physical access monitoring responsibilities;organizational personnel with information security responsibilities PE-6(4)[1] "defines physical spaces containing one or more components of the information system; and" PE-6(4)[2] "monitors physical access to the information system in addition to the physical access monitoring of the facility at organization-defined physical spaces containing one or more components of the information system." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-7 VISITOR CONTROL "[Withdrawn: Incorporated into PE-2 and PE-3]." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-8 VISITOR ACCESS RECORDS "Determine if the organization: " Physical and environmental protection policy;procedures addressing visitor access records;security plan;visitor access control logs or records;visitor access record or log reviews;other relevant documents or records Organizational processes for maintaining and reviewing visitor access records;automated mechanisms supporting and/or implementing maintenance and review of visitor access records Organizational personnel with visitor access records responsibilities;organizational personnel with information security responsibilities PE-8(a) PE-8(a)[1] "defines the time period to maintain visitor access records to the facility where the information system resides;" PE-8(a)[2] "maintains visitor access records to the facility where the information system resides for the organization-defined time period;" PE-8(b) PE-8(b)[1] "defines the frequency to review visitor access records; and" PE-8(b)[2] "reviews visitor access records with the organization-defined frequency." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-8(1) AUTOMATED RECORDS MAINTENANCE / REVIEW "Determine if the organization employs automated mechanisms to facilitate the maintenance and review of visitor access records. " Physical and environmental protection policy;procedures addressing visitor access records;automated mechanisms supporting management of visitor access records;visitor access control logs or records;other relevant documents or records Organizational processes for maintaining and reviewing visitor access records;automated mechanisms supporting and/or implementing maintenance and review of visitor access records Organizational personnel with visitor access records responsibilities;organizational personnel with information security responsibilities PHYSICAL AND ENVIRONMENTAL PROTECTION PE-8(2) PHYSICAL ACCESS RECORDS "[Withdrawn: Incorporated into PE-2]." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-9 POWER EQUIPMENT AND CABLING "Determine if the organization protects power equipment and power cabling for the information system from damage and destruction. " Physical and environmental protection policy;procedures addressing power equipment/cabling protection;facilities housing power equipment/cabling;other relevant documents or records Automated mechanisms supporting and/or implementing protection of power equipment/cabling Organizational personnel with responsibility for protecting power equipment/cabling;organizational personnel with information security responsibilities PHYSICAL AND ENVIRONMENTAL PROTECTION PE-9(1) REDUNDANT CABLING "Determine if the organization:" Physical and environmental protection policy;procedures addressing power equipment/cabling protection;facilities housing power equipment/cabling;other relevant documents or records Automated mechanisms supporting and/or implementing protection of power equipment/cabling Organizational personnel with responsibility for protecting power equipment/cabling;organizational personnel with information security responsibilities PE-9(1)[1] "defines the distance by which redundant power cabling paths are to be physically separated; and" PE-9(1)[2] "employs redundant power cabling paths that are physically separated by organization-defined distance." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-9(2) AUTOMATIC VOLTAGE CONTROLS "Determine if the organization:" Physical and environmental protection policy;procedures addressing voltage control;security plan;list of critical information system components requiring automatic voltage controls;automatic voltage control mechanisms and associated configurations;other relevant documents or records Automated mechanisms supporting and/or implementing automatic voltage controls Organizational personnel with responsibility for environmental protection of information system components;organizational personnel with information security responsibilities PE-9(2)[1] "defines critical information system components that require automatic voltage controls; and" PE-9(2)[2] "employs automatic voltage controls for organization-defined critical information system components." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-10 EMERGENCY SHUTOFF "Determine if the organization: " Physical and environmental protection policy;procedures addressing power source emergency shutoff;security plan;emergency shutoff controls or switches;locations housing emergency shutoff switches and devices;security safeguards protecting emergency power shutoff capability from unauthorized activation;other relevant documents or records Automated mechanisms supporting and/or implementing emergency power shutoff Organizational personnel with responsibility for emergency power shutoff capability (both implementing and using the capability);organizational personnel with information security responsibilities PE-10(a) "provides the capability of shutting off power to the information system or individual system components in emergency situations;" PE-10(b) PE-10(b)[1] "defines the location of emergency shutoff switches or devices by information system or system component;" PE-10(b)[2] "places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel; and" PE-10(c) "protects emergency power shutoff capability from unauthorized activation." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-10(1) ACCIDENTAL / UNAUTHORIZED ACTIVATION "[Withdrawn: Incorporated into PE-10]." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-11 EMERGENCY POWER "Determine if the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss: " Physical and environmental protection policy;procedures addressing emergency power;uninterruptible power supply;uninterruptible power supply documentation;uninterruptible power supply test records;other relevant documents or records Automated mechanisms supporting and/or implementing uninterruptible power supply;the uninterruptable power supply Organizational personnel with responsibility for emergency power and/or planning;organizational personnel with information security responsibilities PE-11[1] "an orderly shutdown of the information system; and/or" PE-11[2] "transition of the information system to long-term alternate power." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-11(1) LONG-TERM ALTERNATE POWER SUPPLY – MINIMAL OPERATIONAL CAPABILITY "Determine if the organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. " Physical and environmental protection policy;procedures addressing emergency power;alternate power supply;alternate power supply documentation;alternate power supply test records;other relevant documents or records Automated mechanisms supporting and/or implementing alternate power supply;the alternate power supply Organizational personnel with responsibility for emergency power and/or planning;organizational personnel with information security responsibilities PHYSICAL AND ENVIRONMENTAL PROTECTION PE-11(2) LONG-TERM ALTERNATE POWER SUPPLY – SELF-CONTAINED "Determine if the organization provides a long-term alternate power supply for the information system that is: " Physical and environmental protection policy;procedures addressing emergency power;alternate power supply;alternate power supply documentation;alternate power supply test records;other relevant documents or records Automated mechanisms supporting and/or implementing alternate power supply;the alternate power supply Organizational personnel with responsibility for emergency power and/or planning;organizational personnel with information security responsibilities PE-11(2)(a) "self-contained;" PE-11(2)(b) "not reliant on external power generation;" PE-11(2)(c) "capable of maintaining one of the following in the event of an extended loss of the primary power source:" PE-11(2)(c)[1] "minimally required operational capability; or" PE-11(2)(c)[2] "full operational capability." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-12 EMERGENCY LIGHTING "Determine if the organization employs and maintains automatic emergency lighting for the information system that: " Physical and environmental protection policy;procedures addressing emergency lighting;emergency lighting documentation;emergency lighting test records;emergency exits and evacuation routes;other relevant documents or records Automated mechanisms supporting and/or implementing emergency lighting capability Organizational personnel with responsibility for emergency lighting and/or planning;organizational personnel with information security responsibilities PE-12[1] "activates in the event of a power outage or disruption; and" PE-12[2] "covers emergency exits and evacuation routes within the facility." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-12(1) ESSENTIAL MISSIONS / BUSINESS FUNCTIONS "Determine if the organization provides emergency lighting for all areas within the facility supporting essential missions and business functions." Physical and environmental protection policy;procedures addressing emergency lighting;emergency lighting documentation;emergency lighting test records;emergency exits and evacuation routes;areas/locations within facility supporting essential missions and business functions;other relevant documents or records Automated mechanisms supporting and/or implementing emergency lighting capability Organizational personnel with responsibility for emergency lighting and/or planning;organizational personnel with information security responsibilities PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13 FIRE PROTECTION "Determine if the organization: " Physical and environmental protection policy;procedures addressing fire protection;fire suppression and detection devices/systems;fire suppression and detection devices/systems documentation;test records of fire suppression and detection devices/systems;other relevant documents or records Automated mechanisms supporting and/or implementing fire suppression/detection devices/systems Organizational personnel with responsibilities for fire detection and suppression devices/systems;organizational personnel with information security responsibilities PE-13[1] "employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and" PE-13[2] "maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13(1) DETECTION DEVICES / SYSTEMS "Determine if the organization: " Physical and environmental protection policy;procedures addressing fire protection;facility housing the information system;alarm service-level agreements;test records of fire suppression and detection devices/systems;fire suppression and detection devices/systems documentation;alerts/notifications of fire events;other relevant documents or records Automated mechanisms supporting and/or implementing fire detection devices/systems;activation of fire detection devices/systems (simulated);automated notifications Organizational personnel with responsibilities for fire detection and suppression devices/systems;organizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires;organizational personnel with information security responsibilities PE-13(1)[1] "defines personnel or roles to be notified in the event of a fire;" PE-13(1)[2] "defines emergency responders to be notified in the event of a fire;" PE-13(1)[3] "employs fire detection devices/systems for the information system that, in the event of a fire,:" PE-13(1)[3][a] "activate automatically;" PE-13(1)[3][b] "notify organization-defined personnel or roles; and" PE-13(1)[3][c] "notify organization-defined emergency responders." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13(2) SUPPRESSION DEVICES / SYSTEMS "Determine if the organization: " Physical and environmental protection policy;procedures addressing fire protection;fire suppression and detection devices/systems documentation;facility housing the information system;alarm service-level agreements;test records of fire suppression and detection devices/systems;other relevant documents or records Automated mechanisms supporting and/or implementing fire suppression devices/systems;activation of fire suppression devices/systems (simulated);automated notifications Organizational personnel with responsibilities for fire detection and suppression devices/systems;organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders;organizational personnel with information security responsibilities PE-13(2)[1] "defines personnel or roles to be provided automatic notification of any activation of fire suppression devices/systems for the information system;" PE-13(2)[2] "defines emergency responders to be provided automatic notification of any activation of fire suppression devices/systems for the information system;" PE-13(2)[3] "employs fire suppression devices/systems for the information system that provide automatic notification of any activation to:" PE-13(2)[3][a] "organization-defined personnel or roles; and" PE-13(2)[3][b] "organization-defined emergency responders." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13(3) AUTOMATIC FIRE SUPPRESSION "Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. " Physical and environmental protection policy;procedures addressing fire protection;fire suppression and detection devices/systems documentation;facility housing the information system;alarm service-level agreements;test records of fire suppression and detection devices/systems;other relevant documents or records Automated mechanisms supporting and/or implementing fire suppression devices/systems;activation of fire suppression devices/systems (simulated) Organizational personnel with responsibilities for fire detection and suppression devices/systems;organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders;organizational personnel with information security responsibilities PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13(4) INSPECTIONS "Determine if the organization: " Physical and environmental protection policy;procedures addressing fire protection;security plan;facility housing the information system;inspection plans;inspection results;inspect reports;test records of fire suppression and detection devices/systems;other relevant documents or records Organizational personnel with responsibilities for planning, approving, and executing fire inspections;organizational personnel with information security responsibilities PE-13(4)[1] "defines the frequency of inspections to be conducted on the facility by authorized and qualified inspectors;" PE-13(4)[2] "ensures that the facility undergoes inspections by authorized and qualified inspectors with the organization-defined frequency;" PE-13(4)[3] "defines a time period to resolve deficiencies identified when the facility undergoes such inspections; and" PE-13(4)[4] "resolves identified deficiencies within the organization-defined time period." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-14 TEMPERATURE AND HUMIDITY CONTROLS "Determine if the organization: " Physical and environmental protection policy;procedures addressing temperature and humidity control;security plan;temperature and humidity controls;facility housing the information system;temperature and humidity controls documentation;temperature and humidity records;other relevant documents or records Automated mechanisms supporting and/or implementing maintenance and monitoring of temperature and humidity levels Organizational personnel with responsibilities for information system environmental controls;organizational personnel with information security responsibilities PE-14(a) PE-14(a)[1] "defines acceptable temperature levels to be maintained within the facility where the information system resides;" PE-14(a)[2] "defines acceptable humidity levels to be maintained within the facility where the information system resides;" PE-14(a)[3] "maintains temperature levels within the facility where the information system resides at the organization-defined levels;" PE-14(a)[4] "maintains humidity levels within the facility where the information system resides at the organization-defined levels;" PE-14(b) PE-14(b)[1] "defines the frequency to monitor temperature levels;" PE-14(b)[2] "defines the frequency to monitor humidity levels;" PE-14(b)[3] "monitors temperature levels with the organization-defined frequency; and" PE-14(b)[4] "monitors humidity levels with the organization-defined frequency." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-14(1) AUTOMATIC CONTROLS "Determine if the organization: " Physical and environmental protection policy;procedures addressing temperature and humidity controls;facility housing the information system;automated mechanisms for temperature and humidity;temperature and humidity controls;temperature and humidity documentation;other relevant documents or records Automated mechanisms supporting and/or implementing temperature and humidity levels Organizational personnel with responsibilities for information system environmental controls;organizational personnel with information security responsibilities PE-14(1)[1] "employs automatic temperature controls in the facility to prevent fluctuations potentially harmful to the information system; and" PE-14(1)[2] "employs automatic humidity controls in the facility to prevent fluctuations potentially harmful to the information system." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-14(2) MONITORING WITH ALARMS / NOTIFICATIONS "Determine if the organization: " Physical and environmental protection policy;procedures addressing temperature and humidity monitoring;facility housing the information system;logs or records of temperature and humidity monitoring;records of changes to temperature and humidity levels that generate alarms or notifications;other relevant documents or records Automated mechanisms supporting and/or implementing temperature and humidity monitoring Organizational personnel with responsibilities for information system environmental controls;organizational personnel with information security responsibilities PE-14(2)[1] "employs temperature monitoring that provides an alarm of changes potentially harmful to personnel or equipment; and/or" PE-14(2)[2] "employs temperature monitoring that provides notification of changes potentially harmful to personnel or equipment;" PE-14(2)[3] "employs humidity monitoring that provides an alarm of changes potentially harmful to personnel or equipment; and/or" PE-14(2)[4] "employs humidity monitoring that provides notification of changes potentially harmful to personnel or equipment." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-15 WATER DAMAGE PROTECTION "Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are: " Physical and environmental protection policy;procedures addressing water damage protection;facility housing the information system;master shutoff valves;list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system;master shutoff valve documentation;other relevant documents or records Master water-shutoff valves;organizational process for activating master water-shutoff Organizational personnel with responsibilities for information system environmental controls;organizational personnel with information security responsibilities PE-15[1] "accessible;" PE-15[2] "working properly; and" PE-15[3] "known to key personnel." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-15(1) AUTOMATION SUPPORT "Determine if the organization: " Physical and environmental protection policy;procedures addressing water damage protection;facility housing the information system;automated mechanisms for water shutoff valves;automated mechanisms detecting presence of water in vicinity of information system;alerts/notifications of water detection in information system facility;other relevant documents or records Automated mechanisms supporting and/or implementing water detection capability and alerts for the information system Organizational personnel with responsibilities for information system environmental controls;organizational personnel with information security responsibilities PE-15(1)[1] "defines personnel or roles to be alerted when the presence of water is detected in the vicinity of the information system;" PE-15(1)[2] "employs automated mechanisms to detect the presence of water in the vicinity of the information system; and" PE-15(1)[3] "alerts organization-defined personnel or roles when the presence of water is detected in the vicinity of the information system." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-16 DELIVERY AND REMOVAL "Determine if the organization: " Physical and environmental protection policy;procedures addressing delivery and removal of information system components from the facility;security plan;facility housing the information system;records of items entering and exiting the facility;other relevant documents or records Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility;automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility Organizational personnel with responsibilities for controlling information system components entering and exiting the facility;organizational personnel with information security responsibilities PE-16[1] "defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;" PE-16[2] "authorizes organization-defined information system components entering the facility;" PE-16[3] "monitors organization-defined information system components entering the facility;" PE-16[4] "controls organization-defined information system components entering the facility;" PE-16[5] "authorizes organization-defined information system components exiting the facility;" PE-16[6] "monitors organization-defined information system components exiting the facility;" PE-16[7] "controls organization-defined information system components exiting the facility;" PE-16[8] "maintains records of information system components entering the facility; and" PE-16[9] "maintains records of information system components exiting the facility." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-17 ALTERNATE WORK SITE "Determine if the organization: " Physical and environmental protection policy;procedures addressing alternate work sites for organizational personnel;security plan;list of security controls required for alternate work sites;assessments of security controls at alternate work sites;other relevant documents or records Organizational processes for security at alternate work sites;automated mechanisms supporting alternate work sites;security controls employed at alternate work sites;means of communications between personnel at alternate work sites and security personnel Organizational personnel approving use of alternate work sites;organizational personnel using alternate work sites;organizational personnel assessing controls at alternate work sites;organizational personnel with information security responsibilities PE-17(a) PE-17(a)[1] "defines security controls to be employed at alternate work sites;" PE-17(a)[2] "employs organization-defined security controls at alternate work sites;" PE-17(b) "assesses, as feasible, the effectiveness of security controls at alternate work sites; and" PE-17(c) "provides a means for employees to communicate with information security personnel in case of security incidents or problems." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS "Determine if the organization: " Physical and environmental protection policy;procedures addressing positioning of information system components;documentation providing the location and position of information system components within the facility;locations housing information system components within the facility;list of physical and environmental hazards with potential to damage information system components within the facility;other relevant documents or records Organizational processes for positioning information system components Organizational personnel with responsibilities for positioning information system components;organizational personnel with information security responsibilities PE-18[1] "defines physical hazards that could result in potential damage to information system components within the facility;" PE-18[2] "defines environmental hazards that could result in potential damage to information system components within the facility;" PE-18[3] "positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards; and" PE-18[4] "positions information system components within the facility to minimize the opportunity for unauthorized access." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-18(1) FACILITY SITE "Determine if the organization: " Physical and environmental protection policy;physical site planning documents;organizational assessment of risk, contingency plan;risk mitigation strategy documentation;other relevant documents or records Organizational processes for site planning Organizational personnel with site selection responsibilities for the facility housing the information system;organizational personnel with risk mitigation responsibilities;organizational personnel with information security responsibilities PE-18(1)[1] "plans the location or site of the facility where the information system resides with regard to physical hazards;" PE-18(1)[2] "plans the location or site of the facility where the information system resides with regard to environmental hazards;" PE-18(1)[3] "for existing facilities, considers the physical hazards in its risk mitigation strategy; and" PE-18(1)[4] "for existing facilities, considers the environmental hazards in its risk mitigation strategy." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-19 INFORMATION LEAKAGE "Determine if the organization protects the information system from information leakage due to electromagnetic signals emanations. " Physical and environmental protection policy;procedures addressing information leakage due to electromagnetic signals emanations;mechanisms protecting the information system against electronic signals emanation;facility housing the information system;records from electromagnetic signals emanation tests;other relevant documents or records Automated mechanisms supporting and/or implementing protection from information leakage due to electromagnetic signals emanations Organizational personnel with responsibilities for information system environmental controls;organizational personnel with information security responsibilities PHYSICAL AND ENVIRONMENTAL PROTECTION PE-19(1) NATIONAL EMISSIONS / TEMPEST POLICIES AND PROCEDURES "Determine if the organization ensures that the following are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information: " Physical and environmental protection policy;procedures addressing information leakage that comply with national emissions and TEMPEST policies and procedures;information system component design documentation;information system configuration settings and associated documentation other relevant documents or records Information system components for compliance with national emissions and TEMPEST policies and procedures Organizational personnel with responsibilities for information system environmental controls;organizational personnel with information security responsibilities PE-19(1)[1] "information system components;" PE-19(1)[2] "associated data communications; and" PE-19(1)[3] "networks." PHYSICAL AND ENVIRONMENTAL PROTECTION PE-20 ASSET MONITORING AND TRACKING "Determine if the organization: " Physical and environmental protection policy;procedures addressing asset monitoring and tracking;asset location technologies and associated configuration documentation;list of organizational assets requiring tracking and monitoring;asset monitoring and tracking records;other relevant documents or records Organizational processes for tracking and monitoring assets;automated mechanisms supporting and/or implementing tracking and monitoring of assets Organizational personnel with asset monitoring and tracking responsibilities;organizational personnel with information security responsibilities PE-20(a) PE-20(a)[1] "defines assets whose location and movement are to be tracked and monitored;" PE-20(a)[2] "defines asset location technologies to be employed to track and monitor the location and movement of organization-defined assets;" PE-20(a)[3] "defines controlled areas within which to track and monitor organization-defined assets;" PE-20(a)[4] "employs organization-defined asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas; and" PE-20(b) "ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards and guidance." PLANNING PL-1 SECURITY PLANNING POLICY AND PROCEDURES "Determine if the organization:" Planning policy and procedures;other relevant documents or records Organizational personnel with planning responsibilities;organizational personnel with information security responsibilities PL-1(a)(1) PL-1(a)(1)[1] "develops and documents a planning policy that addresses:" PL-1(a)(1)[1][a] "purpose;" PL-1(a)(1)[1][b] "scope;" PL-1(a)(1)[1][c] "roles;" PL-1(a)(1)[1][d] "responsibilities;" PL-1(a)(1)[1][e] "management commitment;" PL-1(a)(1)[1][f] "coordination among organizational entities;" PL-1(a)(1)[1][g] "compliance;" PL-1(a)(1)[2] "defines personnel or roles to whom the planning policy is to be disseminated;" PL-1(a)(1)[3] "disseminates the planning policy to organization-defined personnel or roles;" PL-1(a)(2) PL-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;" PL-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" PL-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" PL-1(b)(1) PL-1(b)(1)[1] "defines the frequency to review and update the current planning policy;" PL-1(b)(1)[2] "reviews and updates the current planning policy with the organization-defined frequency;" PL-1(b)(2) PL-1(b)(2)[1] "defines the frequency to review and update the current planning procedures; and" PL-1(b)(2)[2] "reviews and updates the current planning procedures with the organization-defined frequency." PLANNING PL-2 SYSTEM SECURITY PLAN "Determine if the organization: " Security planning policy;procedures addressing security plan development and implementation;procedures addressing security plan reviews and updates;enterprise architecture documentation;security plan for the information system;records of security plan reviews and updates;other relevant documents or records Organizational processes for security plan development/review/update/approval;automated mechanisms supporting the information system security plan Organizational personnel with security planning and plan implementation responsibilities;organizational personnel with information security responsibilities PL-2(a) "develops a security plan for the information system that:" PL-2(a)(1) "is consistent with the organization’s enterprise architecture;" PL-2(a)(2) "explicitly defines the authorization boundary for the system;" PL-2(a)(3) "describes the operational context of the information system in terms of missions and business processes;" PL-2(a)(4) "provides the security categorization of the information system including supporting rationale;" PL-2(a)(5) "describes the operational environment for the information system and relationships with or connections to other information systems;" PL-2(a)(6) "provides an overview of the security requirements for the system;" PL-2(a)(7) "identifies any relevant overlays, if applicable;" PL-2(a)(8) "describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;" PL-2(a)(9) "is reviewed and approved by the authorizing official or designated representative prior to plan implementation;" PL-2(b) PL-2(b)[1] "defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;" PL-2(b)[2] "distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;" PL-2(c) PL-2(c)[1] "defines the frequency to review the security plan for the information system;" PL-2(c)[2] "reviews the security plan for the information system with the organization-defined frequency;" PL-2(d) "updates the plan to address:" PL-2(d)[1] "changes to the information system/environment of operation;" PL-2(d)[2] "problems identified during plan implementation;" PL-2(d)[3] "problems identified during security control assessments;" PL-2(e) "protects the security plan from unauthorized:" PL-2(e)[1] "disclosure; and" PL-2(e)[2] "modification." PLANNING PL-2(1) CONCEPT OF OPERATIONS "[Withdrawn: Incorporated into PL-7]." PLANNING PL-2(2) FUNCTIONAL ARCHITECTURE "[Withdrawn: Incorporated into PL-8]." PLANNING PL-2(3) PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES "Determine if the organization: " Security planning policy;access control policy;contingency planning policy;procedures addressing security-related activity planning for the information system;security plan for the information system;contingency plan for the information system;information system design documentation;other relevant documents or records Organizational personnel with security planning and plan implementation responsibilities;organizational individuals or groups with whom security-related activities are to be planned and coordinated;organizational personnel with information security responsibilities PL-2(3)[1] "defines individuals or groups with whom security-related activities affecting the information system are to be planned and coordinated before conducting such activities in order to reduce the impact on other organizational entities; and" PL-2(3)[2] "plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities." PLANNING PL-3 SYSTEM SECURITY PLAN UPDATE "[Withdrawn: Incorporated into PL-2]." PLANNING PL-4 RULES OF BEHAVIOR "Determine if the organization: " Security planning policy;procedures addressing rules of behavior for information system users;rules of behavior;signed acknowledgements;records for rules of behavior reviews and updates;other relevant documents or records Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior;automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior;organizational personnel who are authorized users of the information system and have signed and resigned rules of behavior;organizational personnel with information security responsibilities PL-4(a) PL-4(a)[1] "establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;" PL-4(a)[2] "makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;" PL-4(b) "receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;" PL-4(c) PL-4(c)[1] "defines the frequency to review and update the rules of behavior;" PL-4(c)[2] "reviews and updates the rules of behavior with the organization-defined frequency; and" PL-4(d) "requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated." PLANNING PL-4(1) SOCIAL MEDIA AND NETWORKING RESTRICTIONS "Determine if the organization includes the following in the rules of behavior: " Security planning policy;procedures addressing rules of behavior for information system users;rules of behavior;other relevant documents or records Organizational processes for establishing rules of behavior;automated mechanisms supporting and/or implementing the establishment of rules of behavior Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior;organizational personnel who are authorized users of the information system and have signed rules of behavior;organizational personnel with information security responsibilities PL-4(1)[1] "explicit restrictions on the use of social media/networking sites; and" PL-4(1)[2] "posting organizational information on public websites." PLANNING PL-5 PRIVACY IMPACT ASSESSMENT "[Withdrawn: Incorporated into Appendix J, AR-2]." PLANNING PL-6 SECURITY-RELATED ACTIVITY PLANNING "[Withdrawn: Incorporated into PL-2]." PLANNING PL-7 SECURITY CONCEPT OF OPERATIONS "Determine if the organization: " Security planning policy;procedures addressing security CONOPS development;procedures addressing security CONOPS reviews and updates;security CONOPS for the information system;security plan for the information system;records of security CONOPS reviews and updates;other relevant documents or records Organizational processes for developing, reviewing, and updating the security CONOPS;automated mechanisms supporting and/or implementing the development, review, and update of the security CONOPS Organizational personnel with security planning and plan implementation responsibilities;organizational personnel with information security responsibilities PL-7(a) "develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security;" PL-7(b) PL-7(b)[1] "defines the frequency to review and update the security CONOPS; and" PL-7(b)[2] "reviews and updates the security CONOPS with the organization-defined frequency." PLANNING PL-8 INFORMATION SECURITY ARCHITECTURE "Determine if the organization: " Security planning policy;procedures addressing information security architecture development;procedures addressing information security architecture reviews and updates;enterprise architecture documentation;information security architecture documentation;security plan for the information system;security CONOPS for the information system;records of information security architecture reviews and updates;other relevant documents or records Organizational processes for developing, reviewing, and updating the information security architecture;automated mechanisms supporting and/or implementing the development, review, and update of the information security architecture Organizational personnel with security planning and plan implementation responsibilities;organizational personnel with information security architecture development responsibilities;organizational personnel with information security responsibilities PL-8(a) "develops an information security architecture for the information system that describes:" PL-8(a)(1) "the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;" PL-8(a)(2) "how the information security architecture is integrated into and supports the enterprise architecture;" PL-8(a)(3) "any information security assumptions about, and dependencies on, external services;" PL-8(b) PL-8(b)[1] "defines the frequency to review and update the information security architecture;" PL-8(b)[2] "reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture;" PL-8(c) "ensures that planned information security architecture changes are reflected in:" PL-8(c)[1] "the security plan;" PL-8(c)[2] "the security Concept of Operations (CONOPS); and" PL-8(c)[3] "the organizational procurements/acquisitions." PLANNING PL-8(1) DEFENSE-IN-DEPTH "Determine if the organization: " Security planning policy;procedures addressing information security architecture development;enterprise architecture documentation;information security architecture documentation;security plan for the information system;security CONOPS for the information system;other relevant documents or records Organizational processes for designing the information security architecture;automated mechanisms supporting and/or implementing the design of the information security architecture Organizational personnel with security planning and plan implementation responsibilities;organizational personnel with information security architecture development responsibilities;organizational personnel with information security responsibilities PL-8(1)(a) PL-8(1)(a)[1] "defines security safeguards to be allocated to locations and architectural layers within the design of its security architecture;" PL-8(1)(a)[2] "defines locations and architectural layers of its security architecture in which organization-defined security safeguards are to be allocated;" PL-8(1)(a)[3] "designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined locations and architectural layers; and" PL-8(1)(b) "designs its security architecture using a defense-in-depth approach that ensures the allocated organization-defined security safeguards operate in a coordinated and mutually reinforcing manner." PLANNING PL-8(2) SUPPLIER DIVERSITY "Determine if the organization: " Security planning policy;procedures addressing information security architecture development;enterprise architecture documentation;information security architecture documentation;security plan for the information system;security CONOPS for the information system;other relevant documents or records Organizational processes for obtaining information security safeguards from different suppliers Organizational personnel with security planning and plan implementation responsibilities;organizational personnel with information security architecture development responsibilities;organizational personnel with acquisition responsibilities;organizational personnel with information security responsibilities PL-8(2)[1] "defines security safeguards to be allocated to locations and architectural layers within the design of its security architecture;" PL-8(2)[2] "defines locations and architectural layers of its security architecture in which organization-defined security safeguards are to be allocated; and" PL-8(2)[3] "requires that organization-defined security safeguards allocated to organization-defined locations and architectural layers are obtained from different suppliers." PLANNING PL-9 CENTRAL MANAGEMENT "Determine if the organization: " Security planning policy;procedures addressing security plan development and implementation;security plan for the information system;other relevant documents or records Organizational processes for central management of security controls and related processes;automated mechanisms supporting and/or implementing central management of security controls and related processes Organizational personnel with security planning and plan implementation responsibilities;organizational personnel with responsibilities for planning/implementing central management of security controls and related processes;organizational personnel with information security responsibilities PL-9[1] "defines security controls and related processes to be centrally managed; and" PL-9[2] "centrally manages organization-defined security controls and related processes." PROGRAM MANAGEMENT PM-1 INFORMATION SECURITY PROGRAM PLAN "Determine if the organization: " Information security program plan;procedures addressing program plan development and implementation;procedures addressing program plan reviews and updates;procedures addressing coordination of the program plan with relevant entities;procedures for program plan approvals;records of program plan reviews and updates;other relevant documents or records Organizational processes for information security program plan development/review/update/approval;automated mechanisms supporting and/or implementing the information security program plan Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel with information security responsibilities PM-1(a) "develops and disseminates an organization-wide information security program plan that:" PM-1(a)(1) PM-1(a)(1)[1] "provides an overview of the requirements for the security program;" PM-1(a)(1)[2] "provides a description of the:" PM-1(a)(1)[2][a] "security program management controls in place or planned for meeting those requirements;" PM-1(a)(1)[2][b] "common controls in place or planned for meeting those requirements;" PM-1(a)(2) "includes the identification and assignment of:" PM-1(a)(2)[1] "roles;" PM-1(a)(2)[2] "responsibilities;" PM-1(a)(2)[3] "management commitment;" PM-1(a)(2)[4] "coordination among organizational entities;" PM-1(a)(2)[5] "compliance;" PM-1(a)(3) "reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical);" PM-1(a)(4) "is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations, organizational assets, individuals, other organizations, and the Nation;" PM-1(b) PM-1(b)[1] "defines the frequency to review the security program plan for the information system;" PM-1(b)[2] "reviews the organization-wide information security program plan with the organization-defined frequency;" PM-1(c) "updates the plan to address organizational:" PM-1(c)[1] "changes identified during plan implementation;" PM-1(c)[2] "changes identified during security control assessments;" PM-1(c)[3] "problems identified during plan implementation;" PM-1(c)[4] "problems identified during security control assessments;" PM-1(d) "protects the information security program plan from unauthorized:" PM-1(d)[1] "disclosure; and" PM-1(d)[2] "modification." PROGRAM MANAGEMENT PM-2 SENIOR INFORMATION SECURITY OFFICER "Determine if the organization appoints a senior information security officer with the mission and resources to: " Information security program plan;procedures addressing program plan development and implementation;procedures addressing program plan reviews and updates;procedures addressing coordination of the program plan with relevant entities;other relevant documents or records Organizational personnel with information security program planning and plan implementation responsibilities;senior information security officer;organizational personnel with information security responsibilities PM-2[1] "coordinate an organization-wide information security program;" PM-2[2] "develop an organization-wide information security program;" PM-2[3] "implement an organization-wide information security program; and" PM-2[4] "maintain an organization-wide information security program." PROGRAM MANAGEMENT PM-3 INFORMATION SECURITY RESOURCES "Determine if the organization: " Information security program plan;Exhibits 300;Exhibits 53;business cases for capital planning and investment;procedures for capital planning and investment;documentation of exceptions to capital planning requirements;other relevant documents or records Organizational processes for capital planning and investment;organizational processes for business case/Exhibit 300/Exhibit 53 development;automated mechanisms supporting the capital planning and investment process Organizational personnel with information security program planning responsibilities;organizational personnel responsible for capital planning and investment;organizational personnel with information security responsibilities PM-3(a) PM-3(a)[1] "ensures that all capital planning and investment requests include the resources needed to implement the information security program plan;" PM-3(a)[2] "documents all exceptions to the requirement;" PM-3(b) "employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and" PM-3(c) "ensures that information security resources are available for expenditure as planned." PROGRAM MANAGEMENT PM-4 PLAN OF ACTION AND MILESTONES PROCESS "Determine if the organization: " Information security program plan;plans of action and milestones;procedures addressing plans of action and milestones development and maintenance;procedures addressing plans of action and milestones reporting;procedures for review of plans of action and milestones for consistency with risk management strategy and risk response priorities;results of risk assessments associated with plans of action and milestones;OMB FISMA reporting requirements;other relevant documents or records Organizational processes for plan of action and milestones development, review, maintenance, reporting;automated mechanisms supporting plans of action and milestones Organizational personnel with responsibility for developing, maintaining, reviewing, and reporting plans of action and milestones;organizational personnel with information security responsibilities PM-4(a) "implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:" PM-4(a)(1) PM-4(a)(1)[1] "are developed;" PM-4(a)(1)[2] "are maintained;" PM-4(a)(2) "document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation;" PM-4(a)(3) "are reported in accordance with OMB FISMA reporting requirements;" PM-4(b) "reviews plans of action and milestones for consistency with:" PM-4(b)[1] "the organizational risk management strategy; and" PM-4(b)[2] "organization-wide priorities for risk response actions." PROGRAM MANAGEMENT PM-5 INFORMATION SYSTEM INVENTORY "Determine if the organization: " Information security program plan;information system inventory;procedures addressing information system inventory development and maintenance;OMB FISMA reporting guidance;other relevant documents or records Organizational processes for information system inventory development and maintenance;automated mechanisms supporting the information system inventory Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for developing and maintaining the information system inventory;organizational personnel with information security responsibilities PM-5[1] "develops an inventory of its information systems; and" PM-5[2] "maintains the inventory of its information systems." PROGRAM MANAGEMENT PM-6 INFORMATION SECURITY MEASURES OF PERFORMANCE "Determine if the organization: " Information security program plan;information security measures of performance;procedures addressing development, monitoring, and reporting of information security measures of performance;other relevant documents or records Organizational processes for developing, monitoring, and reporting information security measures of performance;automated mechanisms supporting the development, monitoring, and reporting of information security measures of performance Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for developing, monitoring, and reporting information security measures of performance;organizational personnel with information security responsibilities PM-6[1] "develops information security measures of performance;" PM-6[2] "monitors information security measures of performance; and" PM-6[3] "reports information security measures of performance." PROGRAM MANAGEMENT PM-7 ENTERPRISE ARCHITECTURE "Determine if the organization develops an enterprise architecture with consideration for: " Information security program plan;enterprise architecture documentation;procedures addressing enterprise architecture development;results of risk assessment of enterprise architecture;other relevant documents or records Organizational processes for enterprise architecture development;automated mechanisms supporting the enterprise architecture and its development Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for developing enterprise architecture;organizational personnel responsible for risk assessment of enterprise architecture;organizational personnel with information security responsibilities PM-7[1] "information security; and" PM-7[2] "the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation." PROGRAM MANAGEMENT PM-8 CRITICAL INFRASTRUCTURE PLAN "Determine if the organization addresses information security issues in the: " Information security program plan;critical infrastructure and key resources protection plan;procedures addressing development, documentation, and updating of the critical infrastructure and key resources protection plan;HSPD 7;National Infrastructure Protection Plan;other relevant documents or records Organizational processes for developing, documenting, and updating the critical infrastructure and key resources protection plan;automated mechanisms supporting the development, documentation, and updating of the critical infrastructure and key resources protection plan Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for developing, documenting, and updating the critical infrastructure and key resources protection plan;organizational personnel with information security responsibilities PM-8[1] "development of a critical infrastructure and key resources protection plan;" PM-8[2] "documentation of a critical infrastructure and key resources protection plan; and" PM-8[3] "updating of the critical infrastructure and key resources protection plan." PROGRAM MANAGEMENT PM-9 RISK MANAGEMENT STRATEGY "Determine if the organization: " Information security program plan;risk management strategy;procedures addressing development, implementation, review, and update of the risk management strategy;risk assessment results relevant to the risk management strategy;other relevant documents or records Organizational processes for development, implementation, review, and update of the risk management strategy;automated mechanisms supporting the development, implementation, review, and update of the risk management strategy Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for development, implementation, review, and update of the risk management strategy;organizational personnel with information security responsibilities PM-9(a) "develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;" PM-9(b) "implements the risk management strategy consistently across the organization;" PM-9(c) PM-9(c)[1] "defines the frequency to review and update the risk management strategy;" PM-9(c)[2] "reviews and updates the risk management strategy to address organizational changes:" PM-9(c)[2][a] "with the organization-defined frequency; or" PM-9(c)[2][b] "as required." PROGRAM MANAGEMENT PM-10 SECURITY AUTHORIZATION PROCESS "Determine if the organization: " Information security program plan;procedures addressing management (i.e., documentation, tracking, and reporting) of the security authorization process;security authorization documents;lists or other documentation about security authorization process roles and responsibilities;risk assessment results relevant to the security authorization process and the organization-wide risk management program;organizational risk management strategy;other relevant documents or records Organizational processes for security authorization;automated mechanisms supporting the security authorization process Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for management of the security authorization process;authorizing officials;system owners, senior information security officer;organizational personnel with information security responsibilities PM-10(a) "manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;" PM-10(b) "designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and" PM-10(c) "fully integrates the security authorization processes into an organization-wide risk management program." PROGRAM MANAGEMENT PM-11 MISSION/BUSINESS PROCESS DEFINITION "Determine if the organization: " Information security program plan;risk management strategy;procedures for determining mission/business protection needs;risk assessment results relevant to determination of mission/business protection needs;other relevant documents or records Organizational processes for defining mission/business processes and their information protection needs Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for mission/business processes;organizational personnel responsible for determining information protection needs for mission/business processes;organizational personnel with information security responsibilities PM-11(a) "defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;" PM-11(b) PM-11(b)[1] "determines information protection needs arising from the defined mission/business process; and" PM-11(b)[2] "revises the processes as necessary until achievable protection needs are obtained." PROGRAM MANAGEMENT PM-12 INSIDER THREAT PROGRAM "Determine if the organization implements an insider threat program that includes a cross-discipline insider threat incident handling team. " Information security program plan;insider threat program documentation;procedures for the insider threat program;risk assessment results relevant to insider threats;list or other documentation on the cross-discipline insider threat incident handling team;other relevant documents or records Organizational processes for implementing the insider threat program and the cross-discipline insider threat incident handling team;automated mechanisms supporting and/or implementing the insider threat program and the cross-discipline insider threat incident handling team Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for the insider threat program;members of the cross-discipline insider threat incident handling team;organizational personnel with information security responsibilities PROGRAM MANAGEMENT PM-13 INFORMATION SECURITY WORKFORCE "Determine if the organization establishes an information security workforce development and improvement program. " Information security program plan;information security workforce development and improvement program documentation;procedures for the information security workforce development and improvement program;other relevant documents or records Organizational processes for implementing information security workforce development and improvement program;automated mechanisms supporting and/or implementing the information security workforce development and improvement program Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for the information security workforce development and improvement program;organizational personnel with information security responsibilities PROGRAM MANAGEMENT PM-14 TESTING, TRAINING, AND MONITORING "Determine if the organization: " Information security program plan;plans for conducting security testing, training, and monitoring activities;organizational procedures addressing development and maintenance of plans for conducting security testing, training, and monitoring activities;risk management strategy;procedures for review of plans for conducting security testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities;results of risk assessments associated with conducting security testing, training, and monitoring activities;evidence that plans for conducting security testing, training, and monitoring activities are executed in a timely manner;other relevant documents or records Organizational processes for development and maintenance of plans for conducting security testing, training, and monitoring activities;automated mechanisms supporting development and maintenance of plans for conducting security testing, training, and monitoring activities Organizational personnel with responsibility for developing and maintaining plans for conducting security testing, training, and monitoring activities;organizational personnel with information security responsibilities PM-14(a) "implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:" PM-14(a)(1) PM-14(a)(1)[1] "are developed;" PM-14(a)(1)[2] "are maintained;" PM-14(a)(2) "continue to be executed in a timely manner;" PM-14(b) "reviews testing, training, and monitoring plans for consistency with:" PM-14(b)[1] "the organizational risk management strategy; and" PM-14(b)[2] "organization-wide priorities for risk response actions." PROGRAM MANAGEMENT PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS "Determine if the organization establishes and institutionalizes contact with selected groups and associations with the security community to: " Information security program plan;risk management strategy;procedures for contacts with security groups and associations;evidence of established and institutionalized contact with security groups and associations;lists or other documentation about contact with and/or membership in security groups and associations;other relevant documents or records Organizational processes for establishing and institutionalizing contact with security groups and associations;automated mechanisms supporting contacts with security groups and associations Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for establishing and institutionalizing contact with security groups and associations;organizational personnel with information security responsibilities;personnel from selected groups and associations with which the organization has established and institutionalized contact PM-15(a) "facilitate ongoing security education and training for organizational personnel;" PM-15(b) "maintain currency with recommended security practices, techniques, and technologies; and" PM-15(c) "share current security-related information including threats, vulnerabilities, and incidents." PROGRAM MANAGEMENT PM-16 THREAT AWARENESS PROGRAM "Determine if the organization implements a threat awareness program that includes a cross-organization information-sharing capability. " Information security program plan;threat awareness program documentation;procedures for the threat awareness program;risk assessment results relevant to threat awareness;list or other documentation on the cross-organization information-sharing capability;other relevant documents or records Organizational processes for implementing the threat awareness program;Organizational processes for implementing the cross-organization information-sharing capability;automated mechanisms supporting and/or implementing the threat awareness program;automated mechanisms supporting and/or implementing the cross-organization information-sharing capability Organizational personnel with information security program planning and plan implementation responsibilities;organizational personnel responsible for the threat awareness program;organizational personnel with responsibility for the cross-organization information-sharing capability;organizational personnel with information security responsibilities;personnel with whom threat awareness information is shared by the organization PERSONNEL SECURITY PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES "Determine if the organization:" Personnel security policy and procedures;other relevant documents or records Organizational personnel with access control responsibilities;organizational personnel with information security responsibilities PS-1(a)(1) PS-1(a)(1)[1] "develops and documents an personnel security policy that addresses:" PS-1(a)(1)[1][a] "purpose;" PS-1(a)(1)[1][b] "scope;" PS-1(a)(1)[1][c] "roles;" PS-1(a)(1)[1][d] "responsibilities;" PS-1(a)(1)[1][e] "management commitment;" PS-1(a)(1)[1][f] "coordination among organizational entities;" PS-1(a)(1)[1][g] "compliance;" PS-1(a)(1)[2] "defines personnel or roles to whom the personnel security policy is to be disseminated;" PS-1(a)(1)[3] "disseminates the personnel security policy to organization-defined personnel or roles;" PS-1(a)(2) PS-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;" PS-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" PS-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" PS-1(b)(1) PS-1(b)(1)[1] "defines the frequency to review and update the current personnel security policy;" PS-1(b)(1)[2] "reviews and updates the current personnel security policy with the organization-defined frequency;" PS-1(b)(2) PS-1(b)(2)[1] "defines the frequency to review and update the current personnel security procedures; and" PS-1(b)(2)[2] "reviews and updates the current personnel security procedures with the organization-defined frequency." PERSONNEL SECURITY PS-2 POSITION RISK DESIGNATION "Determine if the organization:" Personnel security policy;procedures addressing position categorization;appropriate codes of federal regulations;list of risk designations for organizational positions;security plan;records of position risk designation reviews and updates;other relevant documents or records Organizational processes for assigning, reviewing, and updating position risk designations;organizational processes for establishing screening criteria Organizational personnel with personnel security responsibilities;organizational personnel with information security responsibilities PS-2(a) "assigns a risk designation to all organizational positions;" PS-2(b) "establishes screening criteria for individuals filling those positions;" PS-2(c) PS-2(c)[1] "defines the frequency to review and update position risk designations; and" PS-2(c)[2] "reviews and updates position risk designations with the organization-defined frequency." PERSONNEL SECURITY PS-3 PERSONNEL SCREENING "Determine if the organization:" Personnel security policy;procedures addressing personnel screening;records of screened personnel;security plan;other relevant documents or records Organizational processes for personnel screening Organizational personnel with personnel security responsibilities;organizational personnel with information security responsibilities PS-3(a) "screens individuals prior to authorizing access to the information system;" PS-3(b) PS-3(b)[1] "defines conditions requiring re-screening;" PS-3(b)[2] "defines the frequency of re-screening where it is so indicated; and" PS-3(b)[3] "re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening." PERSONNEL SECURITY PS-3(1) CLASSIFIED INFORMATION "Determine if the organization:" Personnel security policy;procedures addressing personnel screening;records of screened personnel;other relevant documents or records Organizational processes for clearing and indoctrinating personnel for access to classified information Organizational personnel with personnel security responsibilities;organizational personnel with information security responsibilities PS-3(1)[1] "ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared to the highest classification level of the information to which they have access on the system; and" PS-3(1)[2] "ensures that individuals accessing an information system processing, storing, or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system." PERSONNEL SECURITY PS-3(2) FORMAL INDOCTRINATION "Determine if the organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system." Personnel security policy;procedures addressing personnel screening;records of screened personnel;other relevant documents or records Organizational processes for formal indoctrination for all relevant types of information to which personnel have access Organizational personnel with personnel security responsibilities;organizational personnel with information security responsibilities PERSONNEL SECURITY PS-3(3) INFORMATION WITH SPECIAL PROTECTION MEASURES "Determine if the organization: " Personnel security policy;access control policy, procedures addressing personnel screening;records of screened personnel;screening criteria;records of access authorizations;other relevant documents or records Organizational processes for ensuring valid access authorizations for information requiring special protection;organizational process for additional personnel screening for information requiring special protection Organizational personnel with personnel security responsibilities;organizational personnel with information security responsibilities PS-3(3)(a) "ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;" PS-3(3)(b) PS-3(3)(b)[1] "defines additional personnel screening criteria to be satisfied for individuals accessing an information system processing, storing, or transmitting information requiring special protection; and" PS-3(3)(b)[2] "ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection satisfy organization-defined additional personnel screening criteria." PERSONNEL SECURITY PS-4 PERSONNEL TERMINATION "Determine if the organization, upon termination of individual employment,:" Personnel security policy;procedures addressing personnel termination;records of personnel termination actions;list of information system accounts;records of terminated or revoked authenticators/credentials;records of exit interviews;other relevant documents or records Organizational processes for personnel termination;automated mechanisms supporting and/or implementing personnel termination notifications;automated mechanisms for disabling information system access/revoking authenticators Organizational personnel with personnel security responsibilities;organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities PS-4(a) PS-4(a)[1] "defines a time period within which to disable information system access;" PS-4(a)[2] "disables information system access within the organization-defined time period;" PS-4(b) "terminates/revokes any authenticators/credentials associated with the individual;" PS-4(c) PS-4(c)[1] "defines information security topics to be discussed when conducting exit interviews;" PS-4(c)[2] "conducts exit interviews that include a discussion of organization-defined information security topics;" PS-4(d) "retrieves all security-related organizational information system-related property;" PS-4(e) "retains access to organizational information and information systems formerly controlled by the terminated individual;" PS-4(f) PS-4(f)[1] "defines personnel or roles to be notified of the termination;" PS-4(f)[2] "defines the time period within which to notify organization-defined personnel or roles; and" PS-4(f)[3] "notifies organization-defined personnel or roles within the organization-defined time period." PERSONNEL SECURITY PS-4(1) POST-EMPLOYMENT REQUIREMENTS "Determine if the organization: " Personnel security policy;procedures addressing personnel termination;signed post-employment acknowledgement forms;list of applicable, legally binding post-employment requirements;other relevant documents or records Organizational processes for post-employment requirements Organizational personnel with personnel security responsibilities;organizational personnel with information security responsibilities PS-4(1)(a) "notifies terminated individuals of applicable, legally binding, post-employment requirements for the protection of organizational information; and" PS-4(1)(b) "requires terminated individuals to sign an acknowledgement of post-employment requirements as part of the organizational termination process." PERSONNEL SECURITY PS-4(2) AUTOMATED NOTIFICATION "Determine if the organization: " Personnel security policy;procedures addressing personnel termination;information system design documentation;information system configuration settings and associated documentation;records of personnel termination actions;automated notifications of employee terminations;other relevant documents or records Organizational processes for personnel termination;automated mechanisms supporting and/or implementing personnel termination notifications Organizational personnel with personnel security responsibilities;organizational personnel with information security responsibilities PS-4(2)[1] "defines personnel or roles to be notified upon termination of an individual; and" PS-4(2)[2] "employs automated mechanisms to notify organization-defined personnel or roles upon termination of an individual." PERSONNEL SECURITY PS-5 PERSONNEL TRANSFER "Determine if the organization:" Personnel security policy;procedures addressing personnel transfer;security plan;records of personnel transfer actions;list of information system and facility access authorizations;other relevant documents or records Organizational processes for personnel transfer;automated mechanisms supporting and/or implementing personnel transfer notifications;automated mechanisms for disabling information system access/revoking authenticators Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities;system/network administrators;organizational personnel with information security responsibilities PS-5(a) "when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:" PS-5(a)[1] "logical access authorizations to information systems;" PS-5(a)[2] "physical access authorizations to information systems and facilities;" PS-5(b) PS-5(b)[1] "defines transfer or reassignment actions to be initiated following transfer or reassignment;" PS-5(b)[2] "defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;" PS-5(b)[3] "initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;" PS-5(c) "modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;" PS-5(d) PS-5(d)[1] "defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;" PS-5(d)[2] "defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and" PS-5(d)[3] "notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization." PERSONNEL SECURITY PS-6 ACCESS AGREEMENTS "Determine if the organization:" Personnel security policy;procedures addressing access agreements for organizational information and information systems;security plan;access agreements;records of access agreement reviews and updates;other relevant documents or records Organizational processes for access agreements;automated mechanisms supporting access agreements Organizational personnel with personnel security responsibilities;organizational personnel who have signed/resigned access agreements;organizational personnel with information security responsibilities PS-6(a) "develops and documents access agreements for organizational information systems;" PS-6(b) PS-6(b)[1] "defines the frequency to review and update the access agreements;" PS-6(b)[2] "reviews and updates the access agreements with the organization-defined frequency;" PS-6(c) PS-6(c)(1) "ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;" PS-6(c)(2) PS-6(c)(2)[1] "defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;" PS-6(c)(2)[2] "ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency." PERSONNEL SECURITY PS-6(1) INFORMATION REQUIRING SPECIAL PROTECTION "[Withdrawn: Incorporated into PS-3]." PERSONNEL SECURITY PS-6(2) CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION "Determine if the organization ensures that access to classified information requiring special protection is granted only to individuals who:" Personnel security policy;procedures addressing access agreements for organizational information and information systems;access agreements;access authorizations;personnel security criteria;signed nondisclosure agreements;other relevant documents or records Organizational processes for access to classified information requiring special protection Organizational personnel with personnel security responsibilities;organizational personnel who have signed nondisclosure agreements;organizational personnel with information security responsibilities PS-6(2)(a) "have a valid access authorization that is demonstrated by assigned official government duties;" PS-6(2)(b) "satisfy associated personnel security criteria; and" PS-6(2)(c) "have read, understood, and signed a nondisclosure agreement." PERSONNEL SECURITY PS-6(3) POST-EMPLOYMENT REQUIREMENTS "Determine if the organization:" Personnel security policy;procedures addressing access agreements for organizational information and information systems;signed post-employment acknowledgement forms;access agreements;list of applicable, legally binding post-employment requirements;other relevant documents or records Organizational processes for post-employment requirements;automated mechanisms supporting notifications and individual acknowledgements of post-employment requirements Organizational personnel with personnel security responsibilities;organizational personnel who have signed access agreements that include post-employment requirements;organizational personnel with information security responsibilities PS-6(3)(a) "notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and" PS-6(3)(b) "requires individuals to sign an acknowledgement of these requirements, if applicable, as part of granting initial access to covered information." PERSONNEL SECURITY PS-7 THIRD-PARTY PERSONNEL SECURITY "Determine if the organization:" Personnel security policy;procedures addressing third-party personnel security;list of personnel security requirements;acquisition documents;service-level agreements;compliance monitoring process;other relevant documents or records Organizational processes for managing and monitoring third-party personnel security;automated mechanisms supporting and/or implementing monitoring of provider compliance Organizational personnel with personnel security responsibilities;third-party providers;system/network administrators;organizational personnel with account management responsibilities;organizational personnel with information security responsibilities PS-7(a) "establishes personnel security requirements, including security roles and responsibilities, for third-party providers;" PS-7(b) "requires third-party providers to comply with personnel security policies and procedures established by the organization;" PS-7(c) "documents personnel security requirements;" PS-7(d) PS-7(d)[1] "defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;" PS-7(d)[2] "defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges;" PS-7(d)[3] "requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges; and" PS-7(e) "monitors provider compliance." PERSONNEL SECURITY PS-8 PERSONNEL SANCTIONS "Determine if the organization:" Personnel security policy;procedures addressing personnel sanctions;rules of behavior;records of formal sanctions;other relevant documents or records Organizational processes for managing personnel sanctions;automated mechanisms supporting and/or implementing notifications Organizational personnel with personnel security responsibilities;organizational personnel with information security responsibilities PS-8(a) "employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;" PS-8(b) PS-8(b)[1] "defines personnel or roles to be notified when a formal employee sanctions process is initiated;" PS-8(b)[2] "defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and" PS-8(b)[3] "notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction." RISK ASSESSMENT RA-1 RISK ASSESSMENT POLICY AND PROCEDURES "Determine if the organization:" risk assessment policy and procedures;other relevant documents or records Organizational personnel with risk assessment responsibilities;organizational personnel with information security responsibilities RA-1(a)(1) RA-1(a)(1)[1] "develops and documents a risk assessment policy that addresses:" RA-1(a)(1)[1][a] "purpose;" RA-1(a)(1)[1][b] "scope;" RA-1(a)(1)[1][c] "roles;" RA-1(a)(1)[1][d] "responsibilities;" RA-1(a)(1)[1][e] "management commitment;" RA-1(a)(1)[1][f] "coordination among organizational entities;" RA-1(a)(1)[1][g] "compliance;" RA-1(a)(1)[2] "defines personnel or roles to whom the risk assessment policy is to be disseminated;" RA-1(a)(1)[3] "disseminates the risk assessment policy to organization-defined personnel or roles;" RA-1(a)(2) RA-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;" RA-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" RA-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" RA-1(b)(1) RA-1(b)(1)[1] "defines the frequency to review and update the current risk assessment policy;" RA-1(b)(1)[2] "reviews and updates the current risk assessment policy with the organization-defined frequency;" RA-1(b)(2) RA-1(b)(2)[1] "defines the frequency to review and update the current risk assessment procedures; and" RA-1(b)(2)[2] "reviews and updates the current risk assessment procedures with the organization-defined frequency." RISK ASSESSMENT RA-2 SECURITY CATEGORIZATION "Determine if the organization:" Risk assessment policy;security planning policy and procedures;procedures addressing security categorization of organizational information and information systems;security plan;security categorization documentation;other relevant documents or records Organizational processes for security categorization Organizational personnel with security categorization and risk assessment responsibilities;organizational personnel with information security responsibilities RA-2(a) "categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;" RA-2(b) "documents the security categorization results (including supporting rationale) in the security plan for the information system; and" RA-2(c) "ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision." RISK ASSESSMENT RA-3 RISK ASSESSMENT "Determine if the organization:" Risk assessment policy;security planning policy and procedures;procedures addressing organizational assessments of risk;security plan;risk assessment;risk assessment results;risk assessment reviews;risk assessment updates;other relevant documents or records Organizational processes for risk assessment;automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment Organizational personnel with risk assessment responsibilities;organizational personnel with information security responsibilities RA-3(a) "conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:" RA-3(a)[1] "the information system;" RA-3(a)[2] "the information the system processes, stores, or transmits;" RA-3(b) RA-3(b)[1] "defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);" RA-3(b)[2] "documents risk assessment results in one of the following:" RA-3(b)[2][a] "the security plan;" RA-3(b)[2][b] "the risk assessment report; or" RA-3(b)[2][c] "the organization-defined document;" RA-3(c) RA-3(c)[1] "defines the frequency to review risk assessment results;" RA-3(c)[2] "reviews risk assessment results with the organization-defined frequency;" RA-3(d) RA-3(d)[1] "defines personnel or roles to whom risk assessment results are to be disseminated;" RA-3(d)[2] "disseminates risk assessment results to organization-defined personnel or roles;" RA-3(e) RA-3(e)[1] "defines the frequency to update the risk assessment;" RA-3(e)[2] "updates the risk assessment:" RA-3(e)[2][a] "with the organization-defined frequency;" RA-3(e)[2][b] "whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and" RA-3(e)[2][c] "whenever there are other conditions that may impact the security state of the system." RISK ASSESSMENT RA-4 RISK ASSESSMENT UPDATE "[Withdrawn: Incorporated into RA-3]." RISK ASSESSMENT RA-5 VULNERABILITY SCANNING "Determine if the organization:" Risk assessment policy;procedures addressing vulnerability scanning;risk assessment;security plan;security assessment report;vulnerability scanning tools and associated configuration documentation;vulnerability scanning results;patch and vulnerability management records;other relevant documents or records Organizational processes for vulnerability scanning, analysis, remediation, and information sharing;automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities;organizational personnel with vulnerability scan analysis responsibilities;organizational personnel with vulnerability remediation responsibilities;organizational personnel with information security responsibilities;system/network administrators RA-5(a) RA-5(a)[1] RA-5(a)[1][a] "defines the frequency for conducting vulnerability scans on the information system and hosted applications; and/or" RA-5(a)[1][b] "defines the process for conducting random vulnerability scans on the information system and hosted applications;" RA-5(a)[2] "in accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in:" RA-5(a)[2][a] "the information system;" RA-5(a)[2][b] "hosted applications;" RA-5(a)[3] "when new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in:" RA-5(a)[3][a] "the information system;" RA-5(a)[3][b] "hosted applications;" RA-5(b) "employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:" RA-5(b)(1) RA-5(b)(1)[1] "enumerating platforms;" RA-5(b)(1)[2] "enumerating software flaws;" RA-5(b)(1)[3] "enumerating improper configurations;" RA-5(b)(2) RA-5(b)(2)[1] "formatting checklists;" RA-5(b)(2)[2] "formatting test procedures;" RA-5(b)(3) "measuring vulnerability impact;" RA-5(c) RA-5(c)[1] "analyzes vulnerability scan reports;" RA-5(c)[2] "analyzes results from security control assessments;" RA-5(d) RA-5(d)[1] "defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;" RA-5(d)[2] "remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;" RA-5(e) RA-5(e)[1] "defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;" RA-5(e)[2] "shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and" RA-5(e)[3] "shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)." RISK ASSESSMENT RA-5(1) UPDATE TOOL CAPABILITY "Determine if the organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned." Procedures addressing vulnerability scanning;security plan;security assessment report;vulnerability scanning tools and associated configuration documentation;vulnerability scanning results;patch and vulnerability management records;other relevant documents or records Organizational processes for vulnerability scanning;automated mechanisms/tools supporting and/or implementing vulnerability scanning Organizational personnel with vulnerability scanning responsibilities;organizational personnel with information security responsibilities RISK ASSESSMENT RA-5(2) UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED "Determine if the organization:" Procedures addressing vulnerability scanning;security plan;security assessment report;vulnerability scanning tools and associated configuration documentation;vulnerability scanning results;patch and vulnerability management records;other relevant documents or records Organizational processes for vulnerability scanning;automated mechanisms/tools supporting and/or implementing vulnerability scanning Organizational personnel with vulnerability scanning responsibilities;organizational personnel with vulnerability scan analysis responsibilities;organizational personnel with information security responsibilities;system/network administrators RA-5(2)[1] "defines the frequency to update the information system vulnerabilities scanned;" RA-5(2)[2] "updates the information system vulnerabilities scanned one or more of the following:" RA-5(2)[2][a] "with the organization-defined frequency;" RA-5(2)[2][b] "prior to a new scan; and/or" RA-5(2)[2][c] "when new vulnerabilities are identified and reported." RISK ASSESSMENT RA-5(3) BREADTH / DEPTH OF COVERAGE "Determine if the organization employs vulnerability scanning procedures that can identify:" Procedures addressing vulnerability scanning;security plan;security assessment report;vulnerability scanning tools and associated configuration documentation;vulnerability scanning results;patch and vulnerability management records;other relevant documents or records Organizational processes for vulnerability scanning;automated mechanisms/tools supporting and/or implementing vulnerability scanning Organizational personnel with vulnerability scanning responsibilities;organizational personnel with vulnerability scan analysis responsibilities;organizational personnel with information security responsibilities RA-5(3)[1] "the breadth of coverage (i.e., information system components scanned); and" RA-5(3)[2] "the depth of coverage (i.e., vulnerabilities checked)." RISK ASSESSMENT RA-5(4) DISCOVERABLE INFORMATION "Determine if the organization:" Procedures addressing vulnerability scanning;security assessment report;penetration test results;vulnerability scanning results;risk assessment report;records of corrective actions taken;incident response records;audit records;other relevant documents or records Organizational processes for vulnerability scanning;organizational processes for risk response;organizational processes for incident management and response;automated mechanisms/tools supporting and/or implementing vulnerability scanning;automated mechanisms supporting and/or implementing risk response;automated mechanisms supporting and/or implementing incident management and response Organizational personnel with vulnerability scanning and/or penetration testing responsibilities;organizational personnel with vulnerability scan analysis responsibilities;organizational personnel responsible for risk response;organizational personnel responsible for incident management and response;organizational personnel with information security responsibilities RA-5(4)[1] "defines corrective actions to be taken if information about the information system is discoverable by adversaries;" RA-5(4)[2] "determines what information about the information system is discoverable by adversaries; and" RA-5(4)[3] "subsequently takes organization-defined corrective actions." RISK ASSESSMENT RA-5(5) PRIVILEGED ACCESS "Determine if:" Risk assessment policy;procedures addressing vulnerability scanning;security plan;information system design documentation;information system configuration settings and associated documentation;list of information system components for vulnerability scanning;personnel access authorization list;authorization credentials;access authorization records;other relevant documents or records Organizational processes for vulnerability scanning;organizational processes for access control;automated mechanisms supporting and/or implementing access control;automated mechanisms/tools supporting and/or implementing vulnerability scanning Organizational personnel with vulnerability scanning responsibilities;system/network administrators;organizational personnel responsible for access control to the information system;organizational personnel responsible for configuration management of the information system;system developers;organizational personnel with information security responsibilities RA-5(5)[1] "the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;" RA-5(5)[2] "the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; and" RA-5(5)[3] "the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities." RISK ASSESSMENT RA-5(6) AUTOMATED TREND ANALYSES "Determine if the organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities." Risk assessment policy;procedures addressing vulnerability scanning;information system design documentation;vulnerability scanning tools and techniques documentation;vulnerability scanning results;other relevant documents or records Organizational processes for vulnerability scanning;automated mechanisms/tools supporting and/or implementing vulnerability scanning;automated mechanisms supporting and/or implementing trend analysis of vulnerability scan results Organizational personnel with vulnerability scanning responsibilities;organizational personnel with vulnerability scan analysis responsibilities;organizational personnel with information security responsibilities RISK ASSESSMENT RA-5(7) AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS "[Withdrawn: Incorporated into CM-8]." RISK ASSESSMENT RA-5(8) REVIEW HISTORIC AUDIT LOGS "Determine if the organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. " Risk assessment policy;procedures addressing vulnerability scanning;audit logs;records of audit log reviews;vulnerability scanning results;patch and vulnerability management records;other relevant documents or records Organizational processes for vulnerability scanning;organizational process for audit record review and response;automated mechanisms/tools supporting and/or implementing vulnerability scanning;automated mechanisms supporting and/or implementing audit record review Organizational personnel with vulnerability scanning responsibilities;organizational personnel with vulnerability scan analysis responsibilities;;organizational personnel with audit record review responsibilities;system/network administrators;organizational personnel with information security responsibilities RISK ASSESSMENT RA-5(9) PENETRATION TESTING AND ANALYSES "[Withdrawn: Incorporated into CA-8]." RISK ASSESSMENT RA-5(10) CORRELATE SCANNING INFORMATION "Determine if the organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors. " Risk assessment policy;procedures addressing vulnerability scanning;risk assessment;security plan;vulnerability scanning tools and techniques documentation;vulnerability scanning results;vulnerability management records;audit records;event/vulnerability correlation logs;other relevant documents or records Organizational processes for vulnerability scanning;automated mechanisms/tools supporting and/or implementing vulnerability scanning;automated mechanisms implementing correlation of vulnerability scan results Organizational personnel with vulnerability scanning responsibilities;organizational personnel with vulnerability scan analysis responsibilities;organizational personnel with information security responsibilities RISK ASSESSMENT RA-6 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY "Determine if the organization:" Risk assessment policy;procedures addressing technical surveillance countermeasures surveys;security plan;audit records/event logs;other relevant documents or records Organizational processes for technical surveillance countermeasures surveys;automated mechanisms/tools supporting and/or implementing technical surveillance countermeasures surveys Organizational personnel with technical surveillance countermeasures surveys responsibilities;system/network administrators;organizational personnel with information security responsibilities RA-6[1] "defines locations to employ technical surveillance countermeasure surveys;" RA-6[2] "defines a frequency to employ technical surveillance countermeasure surveys;" RA-6[3] "defines events or indicators which, if they occur, trigger a technical surveillance countermeasures survey;" RA-6[4] "employs a technical surveillance countermeasures survey at organization-defined locations one or more of the following:" RA-6[4][a] "with the organization-defined frequency; and/or" RA-6[4][b] "when organization-defined events or indicators occur." SYSTEM AND SERVICES ACQUISITION SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES "Determine if the organization:" System and services acquisition policy and procedures;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities SA-1(a)(1) SA-1(a)(1)[1] "develops and documents a system and services acquisition policy that addresses:" SA-1(a)(1)[1][a] "purpose;" SA-1(a)(1)[1][b] "scope;" SA-1(a)(1)[1][c] "roles;" SA-1(a)(1)[1][d] "responsibilities;" SA-1(a)(1)[1][e] "management commitment;" SA-1(a)(1)[1][f] "coordination among organizational entities;" SA-1(a)(1)[1][g] "compliance;" SA-1(a)(1)[2] "defines personnel or roles to whom the system and services acquisition policy is to be disseminated;" SA-1(a)(1)[3] "disseminates the system and services acquisition policy to organization-defined personnel or roles;" SA-1(a)(2) SA-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;" SA-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" SA-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" SA-1(b)(1) SA-1(b)(1)[1] "defines the frequency to review and update the current system and services acquisition policy;" SA-1(b)(1)[2] "reviews and updates the current system and services acquisition policy with the organization-defined frequency;" SA-1(b)(2) SA-1(b)(2)[1] "defines the frequency to review and update the current system and services acquisition procedures; and" SA-1(b)(2)[2] "reviews and updates the current system and services acquisition procedures with the organization-defined frequency." SYSTEM AND SERVICES ACQUISITION SA-2 ALLOCATION OF RESOURCES "Determine if the organization:" System and services acquisition policy;procedures addressing the allocation of resources to information security requirements;procedures addressing capital planning and investment control;organizational programming and budgeting documentation;other relevant documents or records Organizational processes for determining information security requirements;organizational processes for capital planning, programming, and budgeting;automated mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities;organizational personnel responsible for determining information security requirements for information systems/services;organizational personnel with information security responsibilities SA-2(a) "determines information security requirements for the information system or information system service in mission/business process planning;" SA-2(b) "to protect the information system or information system service as part of its capital planning and investment control process:" SA-2(b)[1] "determines the resources required;" SA-2(b)[2] "documents the resources required;" SA-2(b)[3] "allocates the resources required; and" SA-2(c) "establishes a discrete line item for information security in organizational programming and budgeting documentation." SYSTEM AND SERVICES ACQUISITION SA-3 SYSTEM DEVELOPMENT LIFE CYCLE "Determine if the organization:" System and services acquisition policy;procedures addressing the integration of information security into the system development life cycle process;information system development life cycle documentation;information security risk management strategy/program documentation;other relevant documents or records Organizational processes for defining and documenting the SDLC;organizational processes for identifying SDLC roles and responsibilities;organizational process for integrating information security risk management into the SDLC;automated mechanisms supporting and/or implementing the SDLC Organizational personnel with information security and system life cycle development responsibilities;organizational personnel with information security risk management responsibilities;organizational personnel with information security responsibilities SA-3(a) SA-3(a)[1] "defines a system development life cycle that incorporates information security considerations to be used to manage the information system;" SA-3(a)[2] "manages the information system using the organization-defined system development life cycle;" SA-3(b) "defines and documents information security roles and responsibilities throughout the system development life cycle;" SA-3(c) "identifies individuals having information security roles and responsibilities; and" SA-3(d) "integrates the organizational information security risk management process into system development life cycle activities." SYSTEM AND SERVICES ACQUISITION SA-4 ACQUISITION PROCESS "Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:" System and services acquisition policy;procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process;acquisition contracts for the information system, system component, or information system service;information system design documentation;other relevant documents or records Organizational processes for determining information system security functional, strength, and assurance requirements;organizational processes for developing acquisition contracts;automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security functional, strength, and assurance requirements;system/network administrators;organizational personnel with information security responsibilities SA-4(a) "security functional requirements;" SA-4(b) "security strength requirements;" SA-4(c) "security assurance requirements;" SA-4(d) "security-related documentation requirements;" SA-4(e) "requirements for protecting security-related documentation;" SA-4(f) "description of:" SA-4(f)[1] "the information system development environment;" SA-4(f)[2] "the environment in which the system is intended to operate; and" SA-4(g) "acceptance criteria." SYSTEM AND SERVICES ACQUISITION SA-4(1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS "Determine if the organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed." System and services acquisition policy;procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process;solicitation documents;acquisition documentation;acquisition contracts for the information system, system component, or information system services;other relevant documents or records Organizational processes for determining information system security functional, requirements;organizational processes for developing acquisition contracts;automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security functional requirements;information system developer or service provider;organizational personnel with information security responsibilities SYSTEM AND SERVICES ACQUISITION SA-4(2) DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS "Determine if the organization:" System and services acquisition policy;procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process;solicitation documents;acquisition documentation;acquisition contracts for the information system, system components, or information system services;design and implementation information for security controls employed in the information system, system component, or information system service;other relevant documents or records Organizational processes for determining level of detail for system design and security controls;organizational processes for developing acquisition contracts;automated mechanisms supporting and/or implementing development of system design details Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security requirements;information system developer or service provider;organizational personnel with information security responsibilities SA-4(2)[1] "defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service;" SA-4(2)[2] "defines design/implementation information that the developer is to provide for the security controls to be employed (if selected);" SA-4(2)[3] "requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following:" SA-4(2)[3][a] "security-relevant external system interfaces;" SA-4(2)[3][b] "high-level design;" SA-4(2)[3][c] "low-level design;" SA-4(2)[3][d] "source code;" SA-4(2)[3][e] "hardware schematics; and/or" SA-4(2)[3][f] "organization-defined design/implementation information." SYSTEM AND SERVICES ACQUISITION SA-4(3) DEVELOPMENT METHODS / TECHNIQUES / PRACTICES "Determine if the organization:" System and services acquisition policy;procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process;solicitation documents;acquisition documentation;acquisition contracts for the information system, system component, or information system service;list of system/security engineering methods to be included in developer’s system development life cycle process;list of software development methods to be included in developer’s system development life cycle process;list of testing/evaluation/validation techniques to be included in developer’s system development life cycle process;list of quality control processes to be included in developer’s system development life cycle process;other relevant documents or records Organizational processes for development methods, techniques, and processes Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security requirements;organizational personnel with information security and system life cycle responsibilities;information system developer or service provider SA-4(3)[1] "defines state-of-the-practice system/security engineering methods to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;" SA-4(3)[2] "defines software development methods to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;" SA-4(3)[3] "defines testing/evaluation/validation techniques to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;" SA-4(3)[4] "defines quality control processes to be included in the system development life cycle employed by the developer of the information system, system component, or information system service;" SA-4(3)[5] "requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes:" SA-4(3)[5][a] "organization-defined state-of-the-practice system/security engineering methods;" SA-4(3)[5][b] "organization-defined software development methods;" SA-4(3)[5][c] "organization-defined testing/evaluation/validation techniques; and" SA-4(3)[5][d] "organization-defined quality control processes." SYSTEM AND SERVICES ACQUISITION SA-4(4) ASSIGNMENT OF COMPONENTS TO SYSTEMS "[Withdrawn: Incorporated into CM-8(9)]." SYSTEM AND SERVICES ACQUISITION SA-4(5) SYSTEM / COMPONENT / SERVICE CONFIGURATIONS "Determine if the organization:" System and services acquisition policy;procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process;solicitation documents;acquisition documentation;acquisition contracts for the information system, system component, or information system service;security configurations to be implemented by developer of the information system, system component, or information system service;service-level agreements;other relevant documents or records Automated mechanisms used to verify that the configuration of the information system, component, or service, as delivered, is as specified Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security requirements;information system developer or service provider;organizational personnel with information security responsibilities SA-4(5)(a) SA-4(5)(a)[1] "defines security configurations to be implemented by the developer of the information system, system component, or information system service;" SA-4(5)(a)[2] "requires the developer of the information system, system component, or information system service to deliver the system, component, or service with organization-defined security configurations implemented; and" SA-4(5)(b) "requires the developer of the information system, system component, or information system service to use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade." SYSTEM AND SERVICES ACQUISITION SA-4(6) USE OF INFORMATION ASSURANCE PRODUCTS "Determine if the organization:" System and services acquisition policy;procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process;solicitation documents;acquisition documentation;acquisition contracts for the information system, system component, or information system service;security configurations to be implemented by developer of the information system, system component, or information system service;service-level agreements;other relevant documents or records Organizational processes for selecting and employing evaluated and/or validated information assurance products and services that compose an NSA-approved solution to protect classified information Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security requirements;organizational personnel responsible for ensuring information assurance products are NSA-approved and are evaluated and/or validated products in accordance with NSA-approved procedures;organizational personnel with information security responsibilities SA-4(6)(a) "employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and" SA-4(6)(b) "ensures that these products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures." SYSTEM AND SERVICES ACQUISITION SA-4(7) NIAP-APPROVED PROTECTION PROFILES "Determine if the organization:" System and services acquisition policy;procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process;solicitation documents;acquisition documentation;acquisition contracts for the information system, system component, or information system service;NAIP-approved protection profiles;FIPS-validation information for cryptographic functionality;other relevant documents or records Organizational processes for selecting and employing products/services evaluated against a NIAP-approved protection profile or FIPS-validated products Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security requirements;organizational personnel responsible for ensuring information assurance products are have been evaluated against a NIAP-approved protection profile or for ensuring products relying on cryptographic functionality are FIPS-validated;organizational personnel with information security responsibilities SA-4(7)(a) "limits the use of commercially-provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and" SA-4(7)(b) "requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated." SYSTEM AND SERVICES ACQUISITION SA-4(8) CONTINUOUS MONITORING PLAN "Determine if the organization:" System and services acquisition policy;procedures addressing developer continuous monitoring plans;procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process;developer continuous monitoring plans;security assessment plans;acquisition contracts for the information system, system component, or information system service;acquisition documentation;solicitation documentation;service-level agreements;other relevant documents or records Vendor processes for continuous monitoring;automated mechanisms supporting and/or implementing developer continuous monitoring Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security requirements;information system developers;organizational personnel with information security responsibilities SA-4(8)[1] "defines the level of detail the developer of the information system, system component, or information system service is required to provide when producing a plan for the continuous monitoring of security control effectiveness; and" SA-4(8)[2] "requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains the organization-defined level of detail." SYSTEM AND SERVICES ACQUISITION SA-4(9) FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE "Determine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:" System and services acquisition policy;procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process;information system design documentation;information system documentation including functions, ports, protocols, and services intended for organizational use;acquisition contracts for information systems or services;acquisition documentation;solicitation documentation;service-level agreements;organizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services;other relevant documents or records Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security requirements;system/network administrators;organizational personnel operating, using, and/or maintaining the information system;information system developers;organizational personnel with information security responsibilities SA-4(9)[1] "the functions intended for organizational use;" SA-4(9)[2] "the ports intended for organizational use;" SA-4(9)[3] "the protocols intended for organizational use; and" SA-4(9)[4] "the services intended for organizational use." SYSTEM AND SERVICES ACQUISITION SA-4(10) USE OF APPROVED PIV PRODUCTS "Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. " System and services acquisition policy;procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process;solicitation documentation;acquisition documentation;acquisition contracts for the information system, system component, or information system service;service-level agreements;other relevant documents or records Organizational processes for selecting and employing FIPS 201-approved products Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security requirements;organizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented;organizational personnel with information security responsibilities SYSTEM AND SERVICES ACQUISITION SA-5 INFORMATION SYSTEM DOCUMENTATION "Determine if the organization:" System and services acquisition policy;procedures addressing information system documentation;information system documentation including administrator and user guides;records documenting attempts to obtain unavailable or nonexistent information system documentation;list of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation;risk management strategy documentation;other relevant documents or records Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security requirements;system administrators;organizational personnel operating, using, and/or maintaining the information system;information system developers;organizational personnel with information security responsibilities SA-5(a) "obtains administrator documentation for the information system, system component, or information system service that describes:" SA-5(a)(1) SA-5(a)(1)[1] "secure configuration of the system, system component, or service;" SA-5(a)(1)[2] "secure installation of the system, system component, or service;" SA-5(a)(1)[3] "secure operation of the system, system component, or service;" SA-5(a)(2) SA-5(a)(2)[1] "effective use of the security features/mechanisms;" SA-5(a)(2)[2] "effective maintenance of the security features/mechanisms;" SA-5(a)(3) "known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;" SA-5(b) "obtains user documentation for the information system, system component, or information system service that describes:" SA-5(b)(1) SA-5(b)(1)[1] "user-accessible security functions/mechanisms;" SA-5(b)(1)[2] "how to effectively use those functions/mechanisms;" SA-5(b)(2) "methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;" SA-5(b)(3) "user responsibilities in maintaining the security of the system, component, or service;" SA-5(c) SA-5(c)[1] "defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;" SA-5(c)[2] "documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;" SA-5(c)[3] "takes organization-defined actions in response;" SA-5(d) "protects documentation as required, in accordance with the risk management strategy;" SA-5(e) SA-5(e)[1] "defines personnel or roles to whom documentation is to be distributed; and" SA-5(e)[2] "distributes documentation to organization-defined personnel or roles." SYSTEM AND SERVICES ACQUISITION SA-5(1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS "[Withdrawn: Incorporated into SA-4(1)]." SYSTEM AND SERVICES ACQUISITION SA-5(2) SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES "[Withdrawn: Incorporated into SA-4(2)]." SYSTEM AND SERVICES ACQUISITION SA-5(3) HIGH-LEVEL DESIGN "[Withdrawn: Incorporated into SA-4(2)]." SYSTEM AND SERVICES ACQUISITION SA-5(4) LOW-LEVEL DESIGN "[Withdrawn: Incorporated into SA-4(2)]." SYSTEM AND SERVICES ACQUISITION SA-5(5) SOURCE CODE "[Withdrawn: Incorporated into SA-4(2)]." SYSTEM AND SERVICES ACQUISITION SA-6 SOFTWARE USAGE RESTRICTIONS "[Withdrawn: Incorporated into CM-10 and SI-7]." SYSTEM AND SERVICES ACQUISITION SA-7 USER- INSTALLED SOFTWARE "[Withdrawn: Incorporated into CM-11 and SI-7]." SYSTEM AND SERVICES ACQUISITION SA-8 SECURITY ENGINEERING PRINCIPLES "Determine if the organization applies information system security engineering principles in: " System and services acquisition policy;procedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the information system;information system design documentation;information security requirements and specifications for the information system;other relevant documents or records Organizational processes for applying security engineering principles in information system specification, design, development, implementation, and modification;automated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification Organizational personnel with acquisition/contracting responsibilities;organizational personnel with responsibility for determining information system security requirements;organizational personnel with information system specification, design, development, implementation, and modification responsibilities;information system developers;organizational personnel with information security responsibilities SA-8[1] "the specification of the information system;" SA-8[2] "the design of the information system;" SA-8[3] "the development of the information system;" SA-8[4] "the implementation of the information system; and" SA-8[5] "the modification of the information system." SYSTEM AND SERVICES ACQUISITION SA-9 EXTERNAL INFORMATION SYSTEM SERVICES "Determine if the organization:" System and services acquisition policy;procedures addressing external information system services;procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services;acquisition contracts, service-level agreements;organizational security requirements and security specifications for external provider services;security control assessment evidence from external providers of information system services;other relevant documents or records Organizational processes for monitoring security control compliance by external service providers on an ongoing basis;automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis Organizational personnel with system and services acquisition responsibilities;external providers of information system services;organizational personnel with information security responsibilities SA-9(a) SA-9(a)[1] "defines security controls to be employed by providers of external information system services;" SA-9(a)[2] "requires that providers of external information system services comply with organizational information security requirements;" SA-9(a)[3] "requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;" SA-9(b) SA-9(b)[1] "defines and documents government oversight with regard to external information system services;" SA-9(b)[2] "defines and documents user roles and responsibilities with regard to external information system services;" SA-9(c) SA-9(c)[1] "defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and" SA-9(c)[2] "employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis." SYSTEM AND SERVICES ACQUISITION SA-9(1) RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS "Determine if the organization:" System and services acquisition policy;procedures addressing external information system services;acquisition documentation;acquisition contracts for the information system, system component, or information system service;risk assessment reports;approval records for acquisition or outsourcing of dedicated information security services;other relevant documents or records Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated information security services;organizational processes for approving the outsourcing of dedicated information security services;automated mechanisms supporting and/or implementing risk assessment;automated mechanisms supporting and/or implementing approval processes Organizational personnel with system and services acquisition responsibilities;organizational personnel with information system security responsibilities;external providers of information system services;organizational personnel with information security responsibilities SA-9(1)(a) "conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services;" SA-9(1)(b) SA-9(1)(b)[1] "defines personnel or roles designated to approve the acquisition or outsourcing of dedicated information security services; and" SA-9(1)(b)[2] "ensures that the acquisition or outsourcing of dedicated information security services is approved by organization-defined personnel or roles." SYSTEM AND SERVICES ACQUISITION SA-9(2) IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES "Determine if the organization:" System and services acquisition policy;procedures addressing external information system services;acquisition contracts for the information system, system component, or information system service;acquisition documentation;solicitation documentation, service-level agreements;organizational security requirements and security specifications for external service providers;list of required functions, ports, protocols, and other services;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system/network administrators;external providers of information system services SA-9(2)[1] "defines external information system services for which providers of such services are to identify the functions, ports, protocols, and other services required for the use of such services;" SA-9(2)[2] "requires providers of organization-defined external information system services to identify:" SA-9(2)[2][a] "the functions required for the use of such services;" SA-9(2)[2][b] "the ports required for the use of such services;" SA-9(2)[2][c] "the protocols required for the use of such services; and" SA-9(2)[2][d] "the other services required for the use of such services." SYSTEM AND SERVICES ACQUISITION SA-9(3) ESTABLISH / MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS "Determine if the organization:" System and services acquisition policy;procedures addressing external information system services;acquisition contracts for the information system, system component, or information system service;acquisition documentation;solicitation documentation;service-level agreements;organizational security requirements, properties, factors, or conditions defining acceptable trust relationships;documentation of trust relationships with external service providers;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;external providers of information system services SA-9(3)[1] "defines requirements, properties, factors, or conditions defining acceptable trust relationships;" SA-9(3)[2] "based on organization-defined requirements, properties, factors, or conditions defining acceptable trust relationships:" SA-9(3)[2][a] "establishes trust relationships with external service providers;" SA-9(3)[2][b] "documents trust relationships with external service providers; and" SA-9(3)[2][c] "maintains trust relationships with external service providers." SYSTEM AND SERVICES ACQUISITION SA-9(4) CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS "Determine if the organization:" System and services acquisition policy;procedures addressing external information system services;acquisition contracts for the information system, system component, or information system service;solicitation documentation;acquisition documentation;service-level agreements;organizational security requirements/safeguards for external service providers;personnel security policies for external service providers;assessments performed on external service providers;other relevant documents or records Organizational processes for defining and employing safeguards to ensure consistent interests with external service providers;automated mechanisms supporting and/or implementing safeguards to ensure consistent interests with external service providers Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;external providers of information system services SA-9(4)[1] "defines external service providers whose interests are to be consistent with and reflect organizational interests;" SA-9(4)[2] "defines security safeguards to be employed to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests; and" SA-9(4)[3] "employs organization-defined security safeguards to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests." SYSTEM AND SERVICES ACQUISITION SA-9(5) PROCESSING, STORAGE, AND SERVICE LOCATION "Determine if the organization:" System and services acquisition policy;procedures addressing external information system services;acquisition contracts for the information system, system component, or information system service;solicitation documentation;acquisition documentation;service-level agreements;restricted locations for information processing;information/data and/or information system services;information processing, information/data, and/or information system services to be maintained in restricted locations;organizational security requirements or conditions for external providers;other relevant documents or records Organizational processes for defining requirements to restrict locations of information processing, information/data, or information services;organizational processes for ensuring the location is restricted in accordance with requirements or conditions Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;external providers of information system services SA-9(5)[1] "defines locations where organization-defined information processing, information/data, and/or information system services are to be restricted;" SA-9(5)[2] "defines requirements or conditions to restrict the location of information processing, information/data, and/or information system services;" SA-9(5)[3] "restricts the location of one or more of the following to organization-defined locations based on organization-defined requirements or conditions:" SA-9(5)[3][a] "information processing;" SA-9(5)[3][b] "information/data; and/or" SA-9(5)[3][c] "information services." SYSTEM AND SERVICES ACQUISITION SA-10 DEVELOPER CONFIGURATION MANAGEMENT "Determine if the organization:" System and services acquisition policy;procedures addressing system developer configuration management;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer configuration management plan;security flaw and flaw resolution tracking records;system change authorization records;change control records;configuration management records;other relevant documents or records Organizational processes for monitoring developer configuration management;automated mechanisms supporting and/or implementing the monitoring of developer configuration management Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with configuration management responsibilities;system developers SA-10(a) "requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:" SA-10(a)[1] "system, component, or service design;" SA-10(a)[2] "system, component, or service development;" SA-10(a)[3] "system, component, or service implementation; and/or" SA-10(a)[4] "system, component, or service operation;" SA-10(b) SA-10(b)[1] "defines configuration items to be placed under configuration management;" SA-10(b)[2] "requires the developer of the information system, system component, or information system service to:" SA-10(b)[2][a] "document the integrity of changes to organization-defined items under configuration management;" SA-10(b)[2][b] "manage the integrity of changes to organization-defined items under configuration management;" SA-10(b)[2][c] "control the integrity of changes to organization-defined items under configuration management;" SA-10(c) "requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;" SA-10(d) "requires the developer of the information system, system component, or information system service to document:" SA-10(d)[1] "approved changes to the system, component, or service;" SA-10(d)[2] "the potential security impacts of such changes;" SA-10(e) SA-10(e)[1] "defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;" SA-10(e)[2] "requires the developer of the information system, system component, or information system service to:" SA-10(e)[2][a] "track security flaws within the system, component, or service;" SA-10(e)[2][b] "track security flaw resolution within the system, component, or service; and" SA-10(e)[2][c] "report findings to organization-defined personnel." SYSTEM AND SERVICES ACQUISITION SA-10(1) SOFTWARE / FIRMWARE INTEGRITY VERIFICATION "Determine if the organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components." System and services acquisition policy;procedures addressing system developer configuration management;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system;system component, or information system service;system developer configuration management plan;software and firmware integrity verification records;system change authorization records;change control records;configuration management records;other relevant documents or records Organizational processes for monitoring developer configuration management;automated mechanisms supporting and/or implementing the monitoring of developer configuration management Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with configuration management responsibilities;system developers SYSTEM AND SERVICES ACQUISITION SA-10(2) ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES "Determine if the organization provides an alternative configuration management process with organizational personnel in the absence of a dedicated developer configuration management team." System and services acquisition policy;procedures addressing system developer configuration management;procedures addressing configuration management;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system;system component, or information system service;system developer configuration management plan;other relevant documents or records Organizational processes for monitoring developer configuration management;automated mechanisms supporting and/or implementing the monitoring of developer configuration management Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with configuration management responsibilities;system developers SYSTEM AND SERVICES ACQUISITION SA-10(3) HARDWARE INTEGRITY VERIFICATION "Determine if the organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components." System and services acquisition policy;procedures addressing system developer configuration management;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer configuration management plan;hardware integrity verification records;other relevant documents or records Organizational processes for monitoring developer configuration management;automated mechanisms supporting and/or implementing the monitoring of developer configuration management Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with configuration management responsibilities;system developers SYSTEM AND SERVICES ACQUISITION SA-10(4) TRUSTED GENERATION "Determine if the organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of:" System and services acquisition policy;procedures addressing system developer configuration management;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer configuration management plan;change control records;configuration management records;configuration control audit records;other relevant documents or records Organizational processes for monitoring developer configuration management;automated mechanisms supporting and/or implementing the monitoring of developer configuration management Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with configuration management responsibilities;system developers SA-10(4)[1] "security-relevant hardware descriptions with previous versions; and" SA-10(4)[2] "software/firmware source and object code with previous versions." SYSTEM AND SERVICES ACQUISITION SA-10(5) MAPPING INTEGRITY FOR VERSION CONTROL "Determine if the organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version." System and services acquisition policy;procedures addressing system developer configuration management;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer configuration management plan;change control records;configuration management records;version control change/update records;integrity verification records between master copies of security-relevant hardware, software, and firmware (including designs and source code);other relevant documents or records Organizational processes for monitoring developer configuration management;automated mechanisms supporting and/or implementing the monitoring of developer configuration management Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with configuration management responsibilities;system developers SYSTEM AND SERVICES ACQUISITION SA-10(6) TRUSTED DISTRIBUTION "Determine if the organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies." System and services acquisition policy;procedures addressing system developer configuration management;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system;system component, or information system service;system developer configuration management plan;change control records;configuration management records;other relevant documents or records Organizational processes for monitoring developer configuration management;automated mechanisms supporting and/or implementing the monitoring of developer configuration management Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with configuration management responsibilities;system developers SYSTEM AND SERVICES ACQUISITION SA-11 DEVELOPER SECURITY TESTING AND EVALUATION "Determine if the organization:" System and services acquisition policy;procedures addressing system developer security testing;procedures addressing flaw remediation;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer security test plans;records of developer security testing results for the information system, system component, or information system service;security flaw and remediation tracking records;other relevant documents or records Organizational processes for monitoring developer security testing and evaluation;automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with developer security testing responsibilities;system developers SA-11(a) "requires the developer of the information system, system component, or information system service to create and implement a security plan;" SA-11(b) SA-11(b)[1] "defines the depth of testing/evaluation to be performed by the developer of the information system, system component, or information system service;" SA-11(b)[2] "defines the coverage of testing/evaluation to be performed by the developer of the information system, system component, or information system service;" SA-11(b)[3] "requires the developer of the information system, system component, or information system service to perform one or more of the following testing/evaluation at the organization-defined depth and coverage:" SA-11(b)[3][a] "unit testing/evaluation;" SA-11(b)[3][b] "integration testing/evaluation;" SA-11(b)[3][c] "system testing/evaluation; and/or" SA-11(b)[3][d] "regression testing/evaluation;" SA-11(c) "requires the developer of the information system, system component, or information system service to produce evidence of:" SA-11(c)[1] "the execution of the security assessment plan;" SA-11(c)[2] "the results of the security testing/evaluation;" SA-11(d) "requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; and" SA-11(e) "requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation." SYSTEM AND SERVICES ACQUISITION SA-11(1) STATIC CODE ANALYSIS "Determine if the organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis." System and services acquisition policy;procedures addressing system developer security testing;procedures addressing flaw remediation;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer security test plans;system developer security testing results;security flaw and remediation tracking records;other relevant documents or records Organizational processes for monitoring developer security testing and evaluation;automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation;static code analysis tools Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with developer security testing responsibilities;organizational personnel with configuration management responsibilities;system developers SYSTEM AND SERVICES ACQUISITION SA-11(2) THREAT AND VULNERABILITY ANALYSES "Determine if the organization requires the developer of the information system, system component, or information system service to perform:" System and services acquisition policy;procedures addressing system developer security testing;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer security test plans;records of developer security testing results for the information system, system component, or information system service;vulnerability scanning results;information system risk assessment reports;threat and vulnerability analysis reports;other relevant documents or records Organizational processes for monitoring developer security testing and evaluation;automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with developer security testing responsibilities;system developers SA-11(2)[1] "threat analyses of the as-built, system component, or service;" SA-11(2)[2] "vulnerability analyses of the as-built, system component, or service; and" SA-11(2)[3] "subsequent testing/evaluation of the as-built, system component, or service." SYSTEM AND SERVICES ACQUISITION SA-11(3) INDEPENDENT VERIFICATION OF ASSESSMENT PLANS / EVIDENCE "Determine if the organization:" System and services acquisition policy;procedures addressing system developer security testing;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;independent verification and validation reports;security test and evaluation plans;security test and evaluation results for the information system, system component, or information system service;other relevant documents or records Organizational processes for monitoring developer security testing and evaluation;automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with developer security testing responsibilities;system developers;independent verification agent SA-11(3)(a) SA-11(3)(a)[1] "defines independence criteria that an independent agent is required to satisfy;" SA-11(3)(a)[2] "requires an independent agent satisfying organization-defined independence criteria to verify:" SA-11(3)(a)[2][a] "the correct implementation of the developer security assessment plan;" SA-11(3)(a)[2][b] "the evidence produced during security testing/evaluation;" SA-11(3)(b) "ensures that the independent agent is either:" SA-11(3)(b)[1] "provided with sufficient information to complete the verification process; or" SA-11(3)(b)[2] "granted the authority to obtain such information." SYSTEM AND SERVICES ACQUISITION SA-11(4) MANUAL CODE REVIEWS "Determine if the organization:" System and services acquisition policy;procedures addressing system developer security testing;processes, procedures, and/or techniques for performing manual code reviews;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer security testing and evaluation plans;system developer security testing and evaluation results;list of code requiring manual reviews;records of manual code reviews;other relevant documents or records Organizational processes for monitoring developer security testing and evaluation;automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with developer security testing responsibilities;system developers;independent verification agent SA-11(4)[1] "defines specific code for which the developer of the information system, system component, or information system service is required to perform a manual code review;" SA-11(4)[2] "defines processes, procedures, and/or techniques to be used when the developer performs a manual code review of organization-defined specific code; and" SA-11(4)[3] "requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques." SYSTEM AND SERVICES ACQUISITION SA-11(5) PENETRATION TESTING / ANALYSIS "Determine if the organization:" System and services acquisition policy;procedures addressing system developer security testing;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer penetration testing and evaluation plans;system developer penetration testing and evaluation results;other relevant documents or records Organizational processes for monitoring developer security testing and evaluation;automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with developer security testing responsibilities;system developers;independent verification agent SA-11(5)[1] "defines for the developer of the information system, system component, or information system service:" SA-11(5)[1][a] "the breadth of penetration testing to be performed by the developer;" SA-11(5)[1][b] "the depth of penetration testing to be performed by the developer;" SA-11(5)[2] "defines constraints under which the developer is to perform penetration testing; and" SA-11(5)[3] "requires the developer of the information system, system component, or information system service to perform penetration testing at organization-defined breadth/depth and with organization-defined constraints." SYSTEM AND SERVICES ACQUISITION SA-11(6) ATTACK SURFACE REVIEWS "Determine if the organization requires the developer of the information system, system component, or information system service to perform attack surface reviews." System and services acquisition policy;procedures addressing system developer security testing;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer security testing and evaluation plans;system developer security testing and evaluation results;records of attack surface reviews;other relevant documents or records Organizational processes for monitoring developer security testing and evaluation;automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with developer security testing responsibilities;organizational personnel with configuration management responsibilities;system developers SYSTEM AND SERVICES ACQUISITION SA-11(7) VERIFY SCOPE OF TESTING / EVALUATION "Determine if the organization:" System and services acquisition policy;procedures addressing system developer security testing;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer security testing and evaluation plans;system developer security testing and evaluation results;other relevant documents or records Organizational processes for monitoring developer security testing and evaluation;automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with developer security testing responsibilities;system developers;independent verification agent SA-11(7)[1] "defines the depth of testing/evaluation to ensure the scope of security/testing evaluation provides complete coverage of required security controls; and" SA-11(7)[2] "requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at the organization-defined depth of testing/evaluation." SYSTEM AND SERVICES ACQUISITION SA-11(8) DYNAMIC CODE ANALYSIS "Determine if the organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis." System and services acquisition policy;procedures addressing system developer security testing;procedures addressing flaw remediation;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer security test and evaluation plans;security test and evaluation results;security flaw and remediation tracking reports;other relevant documents or records Organizational processes for monitoring developer security testing and evaluation;automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with developer security testing responsibilities;organizational personnel with configuration management responsibilities;system developers SYSTEM AND SERVICES ACQUISITION SA-12 SUPPLY CHAIN PROTECTION "Determine if the organization:" System and services acquisition policy;procedures addressing supply chain protection;procedures addressing the integration of information security requirements into the acquisition process;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;list of supply chain threats;list of security safeguards to be taken against supply chain threats;system development life cycle documentation;other relevant documents or records Organizational processes for defining safeguards for and protecting against supply chain threats;automated mechanisms supporting and/or implementing safeguards for supply chain threats Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SA-12[1] "defines security safeguards to be employed to protect against supply chain threats to the information system, system component, or information system service; and" SA-12[2] "protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy." SYSTEM AND SERVICES ACQUISITION SA-12(1) ACQUISITION STRATEGIES / TOOLS / METHODS "Determine if the organization:" System and services acquisition policy;procedures addressing supply chain protection;procedures addressing the integration of information security requirements into the acquisition process;procedures addressing the integration of acquisition strategies, contract tools, and procure methods into the acquisition process;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for information systems or services;purchase orders/requisitions for the information system;system component;or information system service from suppliers;other relevant documents or records Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods;automated mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SA-12(1)[1] "defines the following to be employed for the purchase of the information system, system component, or information system service from suppliers:" SA-12(1)[1][a] "tailored acquisition strategies;" SA-12(1)[1][b] "contract tools;" SA-12(1)[1][c] "procurement methods; and" SA-12(1)[2] "employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers." SYSTEM AND SERVICES ACQUISITION SA-12(2) SUPPLIER REVIEWS "Determine if the organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service." System and services acquisition policy;procedures addressing supply chain protection;procedures addressing the integration of information security requirements into the acquisition process;records of supplier due diligence reviews;other relevant documents or records Organizational processes for conducting supplier reviews;automated mechanisms supporting and/or implementing supplier reviews Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SYSTEM AND SERVICES ACQUISITION SA-12(3) TRUSTED SHIPPING AND WAREHOUSING "[Withdrawn: Incorporated into SA-12(1)]." SYSTEM AND SERVICES ACQUISITION SA-12(4) DIVERSITY OF SUPPLIERS "[Withdrawn: Incorporated into SA-12(13)]." SYSTEM AND SERVICES ACQUISITION SA-12(5) LIMITATION OF HARM "Determine if the organization:" System and services acquisition policy;configuration management policy;procedures addressing supply chain protection;procedures addressing the integration of information security requirements into the acquisition process;procedures addressing the baseline configuration of the information system;configuration management plan;information system design documentation;information system architecture and associated configuration documentation;solicitation documentation;acquisition documentation;acquisition contracts for the information system, system component, or information system service;list of security safeguards to be taken to protect organizational supply chain against potential supply chain threats;other relevant documents or records Organizational processes for defining and employing safeguards to limit harm from adversaries of the organizational supply chain;automated mechanisms supporting and/or implementing the definition and employment of safeguards to protect the organizational supply chain Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SA-12(5)[1] "defines security safeguards to be employed to limit harm from potential adversaries identifying and targeting the organizational supply chain; and" SA-12(5)[2] "employs organization-defined security safeguards to limit harm from potential adversaries identifying and targeting the organizational supply chain." SYSTEM AND SERVICES ACQUISITION SA-12(6) MINIMIZING PROCUREMENT TIME "[Withdrawn: Incorporated into SA-12(1)]." SYSTEM AND SERVICES ACQUISITION SA-12(7) ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATE "Determine if the organization conducts an assessment of the information system, system component, or information system service prior to:" System and services acquisition policy;procedures addressing supply chain protection;procedures addressing the integration of information security requirements into the acquisition process;security test and evaluation results;vulnerability assessment results;penetration testing results;organizational risk assessment results;other relevant documents or records Organizational processes for conducting assessments prior to selection, acceptance, or update;automated mechanisms supporting and/or implementing the conducting of assessments prior to selection, acceptance, or update Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SA-12(7)[1] "selection;" SA-12(7)[2] "acceptance; or" SA-12(7)[3] "update." SYSTEM AND SERVICES ACQUISITION SA-12(8) USE OF ALL-SOURCE INTELLIGENCE "Determine if the organization uses all-source intelligence analysis of:" System and services acquisition policy;procedures addressing supply chain protection;solicitation documentation;acquisition documentation;acquisition contracts for the information system, system component, or information system service;records of all-source intelligence analyses;other relevant documents or records Organizational processes for use of an all-source analysis of suppliers and potential suppliers;automated mechanisms supporting and/or implementing the use of all-source analysis of suppliers and potential suppliers Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SA-12(8)[1] "suppliers of the information system, system component, or information system service; and" SA-12(8)[2] "potential suppliers of the information system, system component, or information system service." SYSTEM AND SERVICES ACQUISITION SA-12(9) OPERATIONS SECURITY "Determine if the organization:" System and services acquisition policy;procedures addressing supply chain protection;solicitation documentation;acquisition documentation;acquisition contracts for the information system, system component, or information system service;records of all-source intelligence analyses;other relevant documents or records Organizational processes for defining and employing OPSEC safeguards;automated mechanisms supporting and/or implementing the definition and employment of OPSEC safeguards Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SA-12(9)[1] "defines Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service; and" SA-12(9)[2] "employs organization-defined OPSEC safeguards in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service." SYSTEM AND SERVICES ACQUISITION SA-12(10) VALIDATE AS GENUINE AND NOT ALTERED "Determine if the organization:" System and services acquisition policy;procedures addressing supply chain protection;procedures address the integration of information security requirements into the acquisition process;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;evidentiary documentation (including applicable configurations) indicating the information system, system component, or information system service are genuine and have not been altered;other relevant documents or records Organizational processes for defining and employing validation safeguards;automated mechanisms supporting and/or implementing the definition and employment of validation safeguards Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SA-12(10)[1] "defines security safeguards to be employed to validate that the information system or system component received is genuine and has not been altered; and" SA-12(10)[2] "employs organization-defined security safeguards to validate that the information system or system components received is genuine and has not been altered." SYSTEM AND SERVICES ACQUISITION SA-12(11) PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS "Determine if the organization:" System and services acquisition policy;procedures addressing supply chain protection;evidence of organizational analysis, independent third-party analysis, organizational penetration testing, and/or independent third-party penetration testing;list of supply chain elements, processes, and actors (associated with the information system, system component, or information system service) subject to analysis and/or testing;other relevant documents or records Organizational processes for defining and employing methods of analysis/testing of supply chain elements, processes, and actors;automated mechanisms supporting and/or implementing the analysis/testing of supply chain elements, processes, and actors Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities;organizational personnel with responsibilities for analyzing and/or testing supply chain elements, processes, and actors SA-12(11)[1] "defines supply chain:" SA-12(11)[1][a] "elements to be analyzed and/or tested;" SA-12(11)[1][b] "processes to be analyzed and/or tested;" SA-12(11)[1][c] "actors to be analyzed and/or tested;" SA-12(11)[2] "employs one or more of the following to analyze and/or test organization-defined supply chain elements, processes, and actors associated with the information system, system component, or information system service:" SA-12(11)[2][a] "organizational analysis;" SA-12(11)[2][b] "independent third party analysis;" SA-12(11)[2][c] "organizational penetration testing; and/or" SA-12(11)[2][d] "independent third-party penetration testing." SYSTEM AND SERVICES ACQUISITION SA-12(12) INTER-ORGANIZATIONAL AGREEMENTS "Determine if the organization establishes, with entities involved in the supply chain for the information system, system component, or information system service,:" System and services acquisition policy;procedures addressing supply chain protection;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;inter-organizational agreements and procedures;other relevant documents or records Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SA-12(12)[1] "inter-organizational agreements; and" SA-12(12)[2] "inter-organizational procedures." SYSTEM AND SERVICES ACQUISITION SA-12(13) CRITICAL INFORMATION SYSTEM COMPONENTS "Determine if the organization:" System and services acquisition policy;procedures addressing supply chain protection;physical inventory of critical information system components;inventory records of critical information system components;list of security safeguards ensuring adequate supply of critical information system components;other relevant documents or records Organizational processes for defining and employing security safeguards to ensure an adequate supply of critical information system components;automated mechanisms supporting and/or implementing the security safeguards that ensure an adequate supply of critical information system components Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SA-12(13)[1] "defines critical information system components for which security safeguards are to be employed to ensure an adequate supply of such components;" SA-12(13)[2] "defines security safeguards to be employed to ensure an adequate supply of organization-defined critical information components; and" SA-12(13)[3] "employs organization-defined security safeguards to ensure an adequate supply of organization-defined critical information system components." SYSTEM AND SERVICES ACQUISITION SA-12(14) IDENTITY AND TRACEABILITY "Determine if the organization:" System and services acquisition policy;procedures addressing supply chain protection;procedures addressing the integration of information security requirements into the acquisition process;list of supply chain elements, processes, and actors (associated with the information system, system component, or information system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques and/or configurations;other relevant documents or records Organizational processes for defining, establishing, and retaining unique identification for supply chain elements, processes, and actors;automated mechanisms supporting and/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities;organizational personnel with responsibilities for establishing and retaining unique identification of supply chain elements, processes, and actors SA-12(14)[1] "defines the following for the establishment and retention of unique identification:" SA-12(14)[1][a] "supply chain elements;" SA-12(14)[1][b] "supply chain processes;" SA-12(14)[1][c] "supply chain actors; and" SA-12(14)[2] "establishes and retains unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service." SYSTEM AND SERVICES ACQUISITION SA-12(15) PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES "Determine if the organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements." System and services acquisition policy;procedures addressing supply chain protection;procedures addressing weaknesses or deficiencies in supply chain elements;results of independent or organizational assessments of supply chain controls and processes;acquisition contracts, service-level agreements;other relevant documents or records Organizational processes for addressing weaknesses or deficiencies in supply chain elements;automated mechanisms supporting and/or implementing the addressing of weaknesses or deficiencies in supply chain elements Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with supply chain protection responsibilities SYSTEM AND SERVICES ACQUISITION SA-13 TRUSTWORTHINESS "Determine if the organization:" System and services acquisition policy;procedures addressing trustworthiness requirements for the information system, system component, or information system service;security plan;information system design documentation;information system configuration settings and associated documentation;security categorization documentation/results;security authorization package for the information system, system component, or information system service;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;authorizing official SA-13(a) SA-13(a)[1] "defines information system, system component, or information system service for which the trustworthiness required is to be described;" SA-13(a)[2] "describes the trustworthiness required in organization-defined information system, information system component, or information system service supporting its critical mission/business functions;" SA-13(b) SA-13(b)[1] "defines an assurance overlay to be implemented to achieve such trustworthiness; and" SA-13(b)[2] "organization implements the organization-defined assurance overlay to achieve such trustworthiness." SYSTEM AND SERVICES ACQUISITION SA-14 CRITICALITY ANALYSIS "Determine if the organization:" System and services acquisition policy;procedures addressing criticality analysis requirements for information systems, security plan;contingency plan;list of information systems, information system components, or information system services requiring criticality analyses;list of critical information system components and functions identified by criticality analyses;criticality analysis documentation;business impact analysis documentation;system development life cycle documentation;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibilities for performing criticality analysis for the information system SA-14[1] "defines information systems, information system components, or information system services requiring a criticality analysis to identify critical information system components and functions;" SA-14[2] "defines decision points in the system development life cycle when a criticality analysis is to be performed for organization-defined information systems, information system components, or information system services; and" SA-14[3] "identifies critical information system components and functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decisions points in the system development life cycle." SYSTEM AND SERVICES ACQUISITION SA-14(1) CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING "[Withdrawn: Incorporated into SA-20]." SYSTEM AND SERVICES ACQUISITION SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS "Determine if the organization:" System and services acquisition policy;procedures addressing development process, standards, and tools;procedures addressing the integration of security requirements during the development process;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;system developer documentation listing tool options/configuration guides, configuration management records;change control records;configuration control records;documented reviews of development process, standards, tools, and tool options/configurations;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer SA-15(a) "requires the developer of the information system, system component, or information system service to follow a documented development process that:" SA-15(a)(1) "explicitly addresses security requirements;" SA-15(a)(2) "identifies the standards and tools used in the development process;" SA-15(a)(3) SA-15(a)(3)[1] "documents the specific tool options used in the development process;" SA-15(a)(3)[2] "documents the specific tool configurations used in the development process;" SA-15(a)(4) SA-15(a)(4)[1] "documents changes to the process and/or tools used in the development;" SA-15(a)(4)[2] "manages changes to the process and/or tools used in the development;" SA-15(a)(4)[3] "ensures the integrity of changes to the process and/or tools used in the development;" SA-15(b) SA-15(b)[1] "defines a frequency to review the development process, standards, tools, and tool options/configurations;" SA-15(b)[2] "defines security requirements to be satisfied by the process, standards, tools, and tool option/configurations selected and employed; and" SA-15(b)[3] SA-15(b)[3][a] "reviews the development process with the organization-defined frequency to determine if the process selected and employed can satisfy organization-defined security requirements;" SA-15(b)[3][b] "reviews the development standards with the organization-defined frequency to determine if the standards selected and employed can satisfy organization-defined security requirements;" SA-15(b)[3][c] "reviews the development tools with the organization-defined frequency to determine if the tools selected and employed can satisfy organization-defined security requirements; and" SA-15(b)[3][d] "reviews the development tool options/configurations with the organization-defined frequency to determine if the tool options/configurations selected and employed can satisfy organization-defined security requirements." SYSTEM AND SERVICES ACQUISITION SA-15(1) QUALITY METRICS "Determine if the organization:" System and services acquisition policy;procedures addressing development process, standards, and tools;procedures addressing the integration of security requirements into the acquisition process;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;list of quality metrics;documentation evidence of meeting quality metrics;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer SA-15(1)(a) "requires the developer of the information system, system component, or information system service to define quality metrics at the beginning of the development process;" SA-15(1)(b) SA-15(1)(b)[1] "defines a frequency to provide evidence of meeting the quality metrics;" SA-15(1)(b)[2] "defines program review milestones to provide evidence of meeting the quality metrics;" SA-15(1)(b)[3] "requires the developer of the information system, system component, or information system service to provide evidence of meeting the quality metrics one or more of the following:" SA-15(1)(b)[3][a] "with the organization-defined frequency;" SA-15(1)(b)[3][b] "in accordance with the organization-defined program review milestones; and/or" SA-15(1)(b)[3][c] "upon delivery of the information system, system component, or information system service." SYSTEM AND SERVICES ACQUISITION SA-15(2) SECURITY TRACKING TOOLS "Determine if the organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process." System and services acquisition policy;procedures addressing development process, standards, and tools;procedures addressing the integration of security requirements into the acquisition process;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;list of quality metrics;documentation evidence of meeting quality metrics;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer SYSTEM AND SERVICES ACQUISITION SA-15(3) CRITICALITY ANALYSIS "Determine if the organization:" System and services acquisition policy;procedures addressing development process, standards, and tools;procedures addressing criticality analysis requirements for the information system, system component, or information system service;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;criticality analysis documentation;business impact analysis documentation;software development life cycle documentation;other relevant documents or records Organizational processes for performing criticality analysis;automated mechanisms supporting and/or implementing criticality analysis Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel responsibility for performing criticality analysis;system developer SA-15(3)[1] "defines the breadth of criticality analysis to be performed by the developer of the information system, system component, or information system service;" SA-15(3)[2] "defines the depth of criticality analysis to be performed by the developer of the information system, system component, or information system service;" SA-15(3)[3] "defines decision points in the system development life cycle when a criticality analysis is to be performed for the information system, system component, or information system service; and" SA-15(3)[4] "requires the developer of the information system, system component, or information system service to perform a criticality analysis at the organization-defined breadth/depth and at organization-defined decision points in the system development life cycle." SYSTEM AND SERVICES ACQUISITION SA-15(4) THREAT MODELING / VULNERABILITY ANALYSIS "Determine if the organization:" System and services acquisition policy;procedures addressing development process, standards, and tools;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;threat modeling documentation;vulnerability analysis results;organizational risk assessments;acceptance criteria for evidence produced from threat modeling and vulnerability analysis;other relevant documents or records Organizational processes for performing development threat modeling and vulnerability analysis;automated mechanisms supporting and/or implementing development threat modeling and vulnerability analysis Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer SA-15(4)[1] "defines the breadth of threat modeling and vulnerability analysis to be performed by developers for the information system;" SA-15(4)[2] "defines the depth of threat modeling and vulnerability analysis to be performed by developers for the information system;" SA-15(4)[3] "defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used in threat modeling and vulnerability analysis;" SA-15(4)[4] "defines tools and methods to be employed in threat modeling and vulnerability analysis;" SA-15(4)[5] "defines acceptance criteria for evidence produced from threat modeling and vulnerability analysis;" SA-15(4)[6] "requires that developers perform threat modeling and a vulnerability analysis for the information system at the organization-defined breadth/depth that:" SA-15(4)[6](a) "uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels;" SA-15(4)[6](b) "employs organization-defined tools and methods; and" SA-15(4)[6](c) "produces evidence that meets organization-defined acceptance criteria." SYSTEM AND SERVICES ACQUISITION SA-15(5) ATTACK SURFACE REDUCTION "Determine if the organization:" System and services acquisition policy;procedures addressing development process, standards, and tools;procedures addressing attack surface reduction;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, or information system service;information system design documentation;network diagram;information system configuration settings and associated documentation establishing/enforcing organization-defined thresholds for reducing attack surfaces;list of restricted ports, protocols, functions and services;other relevant documents or records Organizational processes for defining attack surface reduction thresholds Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel responsibility for attack surface reduction thresholds;system developer SA-15(5)[1] "defines thresholds to which attack surfaces are to be reduced; and" SA-15(5)[2] "requires the developer of the information system, system component, or information system service to reduce attack surfaces to organization-defined thresholds." SYSTEM AND SERVICES ACQUISITION SA-15(6) CONTINUOUS IMPROVEMENT "Determine if the organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process." System and services acquisition policy;procedures addressing development process, standards, and tools;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;quality goals and metrics for improving system development process;security assessments and/or quality control reviews of system development process;plans of action and milestones for improving system development process;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer SYSTEM AND SERVICES ACQUISITION SA-15(7) AUTOMATED VULNERABILITY ANALYSIS "Determine if the organization:" System and services acquisition policy;procedures addressing development process, standards, and tools;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;vulnerability analysis tools and associated documentation;risk assessment reports;vulnerability analysis results;vulnerability mitigation reports;risk mitigation strategy documentation;other relevant documents or records Organizational processes for vulnerability analysis of information systems, system components, or information system services under development;automated mechanisms supporting and/or implementing vulnerability analysis of information systems, system components, or information system services under development Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer;organizational personnel performing automated vulnerability analysis on the information system SA-15(7)(a) SA-15(7)(a)[1] "defines tools to be used to perform automated vulnerability analysis of the information system, system component, or information system service;" SA-15(7)(a)[2] "requires the developer of the information system, system component, or information system service to perform an automated vulnerability analysis using organization-defined tools;" SA-15(7)(b) "requires the developer of the information system, system component, or information system service to determine the exploitation potential for discovered vulnerabilities;" SA-15(7)(c) "requires the developer of the information system, system component, or information system service to determine potential risk mitigations for delivered vulnerabilities;" SA-15(7)(d) SA-15(7)(d)[1] "defines personnel or roles to whom the output of the tools and results of the analysis are to be delivered; and" SA-15(7)(d)[2] "requires the developer of the information system, system component, or information system service to deliver the outputs of the tools and results of the analysis to organization-defined personnel or roles." SYSTEM AND SERVICES ACQUISITION SA-15(8) REUSE OF THREAT / VULNERABILITY INFORMATION "Determine if the organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process." System and services acquisition policy;procedures addressing development process, standards, and tools;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;threat modeling and vulnerability analyses from similar information systems, system components, or information system service;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer SYSTEM AND SERVICES ACQUISITION SA-15(9) USE OF LIVE DATA "Determine if the organization, for the information system, system component, or information system service:" System and services acquisition policy;procedures addressing development process, standards, and tools;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;information system design documentation;information system configuration settings and associated documentation;documentation authorizing use of live data in development and test environments;other relevant documents or records Organizational processes for approving, documenting, and controlling the use of live data in development and test environments;automated mechanisms supporting and/or implementing the approval, documentation, and control of the use of live data in development and test environments Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer SA-15(9)[1] "approves the use of live data in development and test environments;" SA-15(9)[2] "documents the use of live data in development and test environments; and" SA-15(9)[3] "controls the use of live data in development and test environments." SYSTEM AND SERVICES ACQUISITION SA-15(10) INCIDENT RESPONSE PLAN "Determine if the organization requires the developer of the information system, system component, or information system service to provide an incident response plan." System and services acquisition policy;procedures addressing development process, standards, and tools;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, or services;acquisition documentation;solicitation documentation;service-level agreements;developer incident response plan;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer SYSTEM AND SERVICES ACQUISITION SA-15(11) ARCHIVE INFORMATION SYSTEM / COMPONENT "Determine if the organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review." System and services acquisition policy;procedures addressing development process, standards, and tools;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, or services;acquisition documentation;solicitation documentation;service-level agreements;developer incident response plan;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer SYSTEM AND SERVICES ACQUISITION SA-16 DEVELOPER-PROVIDED TRAINING "Determine if the organization:" System and services acquisition policy;procedures addressing developer-provided training;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;developer-provided training materials;training records;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information system security responsibilities;system developer;organizational or third-party developers with training responsibilities for the information system, system component, or information system service SA-16[1] "defines training to be provided by the developer of the information system, system component, or information system service; and" SA-16[2] "requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms." SYSTEM AND SERVICES ACQUISITION SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN "Determine if the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:" System and services acquisition policy;enterprise architecture policy;procedures addressing developer security architecture and design specification for the information system;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;design specification and security architecture documentation for the system;information system design documentation;information system configuration settings and associated documentation;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer;organizational personnel with security architecture and design responsibilities SA-17(a) "is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture;" SA-17(b) "accurately and completely describes:" SA-17(b)[1] "the required security functionality;" SA-17(b)[2] "the allocation of security controls among physical and logical components; and" SA-17(c) "expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection." SYSTEM AND SERVICES ACQUISITION SA-17(1) FORMAL POLICY MODEL "Determine if the organization:" System and services acquisition policy;enterprise architecture policy;procedures addressing developer security architecture and design specification for the information system;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;design specification and security architecture documentation for the system;information system design documentation;information system configuration settings and associated documentation;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer;organizational personnel with security architecture and design responsibilities SA-17(1)(a) SA-17(1)(a)[1] "defines elements of the organizational security policy to be enforced under a formal policy model produced by the developer as an integral part of the development process for the information system, system component, or information system service;" SA-17(1)(a)[2] "requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal policy model describing the organization-defined elements of organizational security policy to be enforced; and" SA-17(1)(b) "requires the developer of the information system, system component, or information system service to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented." SYSTEM AND SERVICES ACQUISITION SA-17(2) SECURITY-RELEVANT COMPONENTS "Determine if the organization requires the developer of the information system, system component, or information system service to:" System and services acquisition policy;enterprise architecture policy;procedures addressing developer security architecture and design specification for the information system;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;list of security-relevant hardware, software, and firmware components;documented rationale of completeness regarding definitions provided for security-relevant hardware, software, and firmware;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developers;organizational personnel with security architecture and design responsibilities SA-17(2)(a) SA-17(2)(a)[1] "define security-relevant hardware;" SA-17(2)(a)[2] "define security-relevant software;" SA-17(2)(a)[3] "define security-relevant firmware; and" SA-17(2)(b) "provide a rationale that the definition for security-relevant hardware, software, and firmware components is complete." SYSTEM AND SERVICES ACQUISITION SA-17(3) FORMAL CORRESPONDENCE "Determine if the organization requires the developer of the information system, system component, or information system service to:" System and services acquisition policy;enterprise architecture policy;formal policy model;procedures addressing developer security architecture and design specification for the information system;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;formal top-level specification documentation;information system security architecture and design documentation;information system design documentation;information system configuration settings and associated documentation;documentation describing security-relevant hardware, software and firmware mechanisms not addressed in the formal top-level specification documentation;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer;organizational personnel with security architecture and design responsibilities SA-17(3)(a) "produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of:" SA-17(3)(a)[1] "exceptions;" SA-17(3)(a)[2] "error messages;" SA-17(3)(a)[3] "effects;" SA-17(3)(b) "show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;" SA-17(3)(c) "show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;" SA-17(3)(d) "show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and" SA-17(3)(e) "describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware." SYSTEM AND SERVICES ACQUISITION SA-17(4) INFORMAL CORRESPONDENCE "Determine if the organization requires the developer of the information system, system component, or information system service to:" System and services acquisition policy;enterprise architecture policy;formal policy model;procedures addressing developer security architecture and design specification for the information system;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;informal descriptive top-level specification documentation;information system security architecture and design documentation;information system design documentation;information system configuration settings and associated documentation;documentation describing security-relevant hardware, software and firmware mechanisms not addressed in the informal descriptive top-level specification documentation;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer;organizational personnel with security architecture and design responsibilities SA-17(4)(a) "produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of:" SA-17(4)(a)[1] "exceptions;" SA-17(4)(a)[2] "error messages;" SA-17(4)(a)[3] "effects;" SA-17(4)(b) "show via informal demonstration and/or convincing argument with formal methods as feasible that the descriptive top-level specification is consistent with the formal policy model;" SA-17(4)(c) "show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;" SA-17(4)(d) "show that the descriptive top-level specification is an accurate description of the interfaces to the security-relevant hardware, software, and firmware; and" SA-17(4)(e) "describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware." SYSTEM AND SERVICES ACQUISITION SA-17(5) CONCEPTUALLY SIMPLE DESIGN "Determine if the organization requires the developer of the information system, system component, or information system service to:" System and services acquisition policy;enterprise architecture policy;procedures addressing developer security architecture and design specification for the information system;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;information system design documentation;information system security architecture documentation;information system configuration settings and associated documentation;developer documentation describing design and structure of security-relevant hardware, software, and firmware components;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer;organizational personnel with security architecture and design responsibilities SA-17(5)(a) "design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and" SA-17(5)(b) "internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism." SYSTEM AND SERVICES ACQUISITION SA-17(6) STRUCTURE FOR TESTING "Determine if the organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing." System and services acquisition policy;enterprise architecture policy;procedures addressing developer security architecture and design specification for the information system;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;information system design documentation;information system security architecture documentation;information system configuration settings and associated documentation;developer documentation describing design and structure of security-relevant hardware, software, and firmware components to facilitate testing;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer;organizational personnel with security architecture and design responsibilities SYSTEM AND SERVICES ACQUISITION SA-17(7) STRUCTURE FOR LEAST PRIVILEGE "Determine if the organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege." System and services acquisition policy;enterprise architecture policy;procedures addressing developer security architecture and design specification for the information system;solicitation documentation;acquisition documentation;service-level agreements;acquisition contracts for the information system, system component, or information system service;information system design documentation;information system security architecture documentation;information system configuration settings and associated documentation;developer documentation describing design and structure of security-relevant hardware, software, and firmware components to facilitate controlling access with least privilege;other relevant documents or records Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;system developer;organizational personnel with security architecture and design responsibilities SYSTEM AND SERVICES ACQUISITION SA-18 TAMPER RESISTANCE AND DETECTION "Determine if the organization implements a tamper protection program for the information system, system component, or information system service." System and services acquisition policy;procedures addressing tamper resistance and detection;tamper protection program documentation;tamper protection tools and techniques documentation;tamper resistance and detection tools and techniques documentation;other relevant documents or records Organizational processes for implementation of the tamper protection program;automated mechanisms supporting and/or implementing the tamper protection program Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for the tamper protection program SYSTEM AND SERVICES ACQUISITION SA-18(1) MULTIPLE PHASES OF SDLC "Determine if the organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including:" System and services acquisition policy;procedures addressing tamper resistance and detection;tamper protection program documentation;tamper protection tools and techniques documentation;tamper resistance and detection tools (technologies) and techniques documentation;system development life cycle documentation;other relevant documents or records Organizational processes for employing anti-tamper technologies;automated mechanisms supporting and/or implementing anti-tamper technologies Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for the tamper protection program;organizational personnel with SDLC responsibilities SA-18(1)[1] "design;" SA-18(1)[2] "development;" SA-18(1)[3] "integration;" SA-18(1)[4] "operations; and" SA-18(1)[5] "maintenance." SYSTEM AND SERVICES ACQUISITION SA-18(2) INSPECTION OF INFORMATION SYSTEMS, COMPONENTS, OR DEVICES "Determine if the organization:" System and services acquisition policy;procedures addressing tamper resistance and detection;records of random inspections;inspection reports/results;assessment reports/results;other relevant documents or records Organizational processes for inspecting information systems, system components, or devices to detect tampering;automated mechanisms supporting and/or implementing tampering detection Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for the tamper protection program SA-18(2)[1] "defines information systems, system components, or devices to be inspected to detect tampering;" SA-18(2)[2] "defines the frequency to inspect organization-defined information systems, system components, or devices to detect tampering;" SA-18(2)[3] "defines indications of need for inspection of organization-defined information systems, system components, or devices to detect tampering;" SA-18(2)[4] "inspects organization-defined information systems, system components, or devices to detect tampering, selecting one or more of the following:" SA-18(2)[4][a] "at random;" SA-18(2)[4][b] "with the organization-defined frequency; and/or" SA-18(2)[4][c] "upon organization-defined indications of need for inspection." SYSTEM AND SERVICES ACQUISITION SA-19 COMPONENT AUTHENTICITY "Determine if the organization:" System and services acquisition policy;anti-counterfeit policy and procedures;media disposal policy;media protection policy;incident response policy;training materials addressing counterfeit information system components;training records on detection and prevention of counterfeit components from entering the information system;reports notifying developers/manufacturers/vendors/ contractors and/or external reporting organizations of counterfeit information system components;other relevant documents or records Organizational processes for anti-counterfeit detection, prevention, and reporting;automated mechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for anti-counterfeit policy, procedures, and reporting SA-19(a) "develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system;" SA-19(b) SA-19(b)[1] "defines external reporting organizations to whom counterfeit information system components are to be reported;" SA-19(b)[2] "defines personnel or roles to whom counterfeit information system components are to be reported;" SA-19(b)[3] "reports counterfeit information system components to one or more of the following:" SA-19(b)[3][a] "the source of counterfeit component;" SA-19(b)[3][b] "the organization-defined external reporting organizations; and/or" SA-19(b)[3][c] "the organization-defined personnel or roles." SYSTEM AND SERVICES ACQUISITION SA-19(1) ANTI-COUNTERFEIT TRAINING "Determine if the organization:" System and services acquisition policy;anti-counterfeit policy and procedures;media disposal policy;media protection policy;incident response policy;training materials addressing counterfeit information system components;training records on detection of counterfeit information system components;other relevant documents or records Organizational processes for anti-counterfeit training Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for anti-counterfeit policy, procedures, and training SA-19(1)[1] "defines personnel or roles to be trained to detect counterfeit information system components (including hardware, software, and firmware); and" SA-19(1)[2] "trains organization-defined personnel or roles to detect counterfeit information system components (including hardware, software, and firmware)." SYSTEM AND SERVICES ACQUISITION SA-19(2) CONFIGURATION CONTROL FOR COMPONENT SERVICE / REPAIR "Determine if the organization:" System and services acquisition policy;anti-counterfeit policy and procedures;media protection policy;configuration management plan;information system design documentation;information system configuration settings and associated documentation;configuration control records for components awaiting service/repair;configuration control records for serviced/repaired components awaiting return to service;information system maintenance records;information system audit records;inventory management records;other relevant documents or records Organizational processes for configuration management;automated mechanisms supporting and/or implementing configuration management Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for anti-counterfeit policy and procedures;organizational personnel with responsibility for configuration management SA-19(2)[1] "defines information system components requiring configuration control to be maintained when awaiting service/repair;" SA-19(2)[2] "defines information system components requiring configuration control to be maintained when awaiting return to service; and" SA-19(2)[3] "maintains configuration control over organization-defined information system components awaiting service/repairs and serviced/repaired components awaiting return to service." SYSTEM AND SERVICES ACQUISITION SA-19(3) COMPONENT DISPOSAL "Determine if the organization:" System and services acquisition policy;anti-counterfeit policy and procedures;media disposal policy;media protection policy;disposal records for information system components;documentation of disposal techniques and methods employed for information system components;other relevant documents or records Organizational techniques and methods for information system component disposal;automated mechanisms supporting and/or implementing system component disposal Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for anti-counterfeit policy and procedures;organizational personnel with responsibility for disposal of information system components SA-19(3)[1] "defines techniques and methods to dispose of information system components; and" SA-19(3)[2] "disposes of information system components using organization-defined techniques and methods." SYSTEM AND SERVICES ACQUISITION SA-19(4) ANTI-COUNTERFEIT SCANNING "Determine if the organization:" System and services acquisition policy;anti-counterfeit policy and procedures;information system design documentation;information system configuration settings and associated documentation;scanning tools and associated documentation;scanning results;other relevant documents or records Organizational processes for anti-counterfeit scanning;automated mechanisms supporting and/or implementing anti-counterfeit scanning Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for anti-counterfeit policy and procedures;organizational personnel with responsibility for anti-counterfeit scanning SA-19(4)[1] "defines a frequency to scan for counterfeit information system components; and" SA-19(4)[2] "scans for counterfeit information system components with the organization-defined frequency." SYSTEM AND SERVICES ACQUISITION SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS "Determine if the organization:" System and services acquisition policy;procedures addressing customized development of critical information system components;information system design documentation;information system configuration settings and associated documentation;system development life cycle documentation addressing custom development of critical information system components;configuration management records;information system audit records;other relevant documents or records Organizational processes for re-implementing or customized development of critical information system components;automated mechanisms supporting and/or implementing re-implementation or customized development of critical information system components Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility re-implementation or customized development of critical information system components SA-20[1] "defines critical information system components to be re-implemented or custom developed; and" SA-20[2] "re-implements or custom develops organization-defined information system components." SYSTEM AND SERVICES ACQUISITION SA-21 DEVELOPER SCREENING "Determine if the organization:" System and services acquisition policy;personnel security policy and procedures;procedures addressing personnel screening;information system design documentation;information system configuration settings and associated documentation;list of appropriate access authorizations required by developers of the information system;personnel screening criteria and associated documentation;other relevant documents or records Organizational processes for developer screening;automated mechanisms supporting developer screening Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for developer screening SA-21[1] "defines the information system, system component, or information system service for which the developer is to be screened;" SA-21[2] "defines official government duties to be used to determine appropriate access authorizations for the developer;" SA-21[3] "defines additional personnel screening criteria to be satisfied by the developer;" SA-21[4] SA-21[4][a] "requires that the developer of organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties; and" SA-21[4][b] "requires that the developer of organization-defined information system, system component, or information system service satisfy organization-defined additional personnel screening criteria." SYSTEM AND SERVICES ACQUISITION SA-21(1) VALIDATION OF SCREENING "Determine if the organization:" System and services acquisition policy;personnel security policy and procedures;procedures addressing personnel screening;information system design documentation;information system configuration settings and associated documentation;list of appropriate access authorizations required by developers of the information system;personnel screening criteria and associated documentation;list of actions ensuring required access authorizations and screening criteria are satisfied;other relevant documents or records Organizational processes for developer screening;automated mechanisms supporting developer screening Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility for developer screening;system developer SA-21(1)[1] "defines actions to be taken by the developer of the information system, system component, or information system service to ensure that the required access authorizations and screening criteria are satisfied; and" SA-21(1)[2] "requires the developer of the information system, system component, or information system service take organization-defined actions to ensure that the required access authorizations and screening criteria are satisfied." SYSTEM AND SERVICES ACQUISITION SA-22 UNSUPPORTED SYSTEM COMPONENTS "Determine if the organization:" System and services acquisition policy;procedures addressing replacement or continued use of unsupported information system components;documented evidence of replacing unsupported information system components;documented approvals (including justification) for continued use of unsupported information system components;other relevant documents or records Organizational processes for replacing unsupported system components;automated mechanisms supporting and/or implementing replacement of unsupported system components Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility system development life cycle;organizational personnel responsible for configuration management SA-22(a) "replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer;" SA-22(b) SA-22(b)[1] "provides justification for the continued use of unsupported system components required to satisfy mission/business needs; and" SA-22(b)[2] "documents approval for the continued use of unsupported system components required to satisfy mission/business needs." SYSTEM AND SERVICES ACQUISITION SA-22(1) ALTERNATIVE SOURCES FOR CONTINUED SUPPORT "Determine if the organization:" System and services acquisition policy;procedures addressing support for unsupported information system components;solicitation documentation;acquisition documentation;acquisition contracts;service-level agreements;other relevant documents or records Organizational processes for supporting system components no longer supported by original developers, vendors, or manufacturers;automated mechanisms providing support for system components no longer supported by original developers, vendors, or manufacturers Organizational personnel with system and services acquisition responsibilities;organizational personnel with information security responsibilities;organizational personnel with responsibility system development life cycle;organizational personnel or third-party external providers supporting information system components no longer supported by original developers, vendors, or manufacturers SA-22(1)[1] "defines support from external providers to be provided for unsupported information system components;" SA-22(1)[2] "provides and/or obtains support for unsupported information system components from one or more of the following:" SA-22(1)[2][a] "in-house support; and/or" SA-22(1)[2][b] "organization-defined support from external providers." SYSTEM AND COMMUNICATIONS PROTECTION SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES "Determine if the organization:" System and communications protection policy and procedures;other relevant documents or records Organizational personnel with system and communications protection responsibilities;organizational personnel with information security responsibilities SC-1(a)(1) SC-1(a)(1)[1] "develops and documents a system and communications protection policy that addresses:" SC-1(a)(1)[1][a] "purpose;" SC-1(a)(1)[1][b] "scope;" SC-1(a)(1)[1][c] "roles;" SC-1(a)(1)[1][d] "responsibilities;" SC-1(a)(1)[1][e] "management commitment;" SC-1(a)(1)[1][f] "coordination among organizational entities;" SC-1(a)(1)[1][g] "compliance;" SC-1(a)(1)[2] "defines personnel or roles to whom the system and communications protection policy is to be disseminated;" SC-1(a)(1)[3] "disseminates the system and communications protection policy to organization-defined personnel or roles;" SC-1(a)(2) SC-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;" SC-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" SC-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" SC-1(b)(1) SC-1(b)(1)[1] "defines the frequency to review and update the current system and communications protection policy;" SC-1(b)(1)[2] "reviews and updates the current system and communications protection policy with the organization-defined frequency;" SC-1(b)(2) SC-1(b)(2)[1] "defines the frequency to review and update the current system and communications protection procedures; and" SC-1(b)(2)[2] "reviews and updates the current system and communications protection procedures with the organization-defined frequency." SYSTEM AND COMMUNICATIONS PROTECTION SC-2 APPLICATION PARTITIONING "Determine if the information system separates user functionality (including user interface services) from information system management functionality." System and communications protection policy;procedures addressing application partitioning;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Separation of user functionality from information system management functionality System/network administrators;organizational personnel with information security responsibilities;system developer SYSTEM AND COMMUNICATIONS PROTECTION SC-2(1) INTERFACES FOR NON-PRIVILEGED USERS "Determine if the information system prevents the presentation of information system management-related functionality at an interface for non-privileged users." System and communications protection policy;procedures addressing application partitioning;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Separation of user functionality from information system management functionality System/network administrators;organizational personnel with information security responsibilities;non-privileged users of the information system;system developer SYSTEM AND COMMUNICATIONS PROTECTION SC-3 SECURITY FUNCTION ISOLATION "Determine if the information system isolates security functions from nonsecurity functions." System and communications protection policy;procedures addressing security function isolation;list of security functions to be isolated from nonsecurity functions;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Separation of security functions from nonsecurity functions within the information system System/network administrators;organizational personnel with information security responsibilities;system developer SYSTEM AND COMMUNICATIONS PROTECTION SC-3(1) HARDWARE SEPARATION "Determine if the information system utilizes underlying hardware separation mechanisms to implement security function isolation." System and communications protection policy;procedures addressing security function isolation;information system design documentation;hardware separation mechanisms;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Separation of security functions from nonsecurity functions within the information system System/network administrators;organizational personnel with information security responsibilities;system developer SYSTEM AND COMMUNICATIONS PROTECTION SC-3(2) ACCESS/FLOW CONTROL FUNCTIONS "Determine if the information system isolates security functions enforcing: " System and communications protection policy;procedures addressing security function isolation;list of critical security functions;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Isolation of security functions enforcing access and information flow control System/network administrators;organizational personnel with information security responsibilities;system developer SC-3(2)[1] "access control from nonsecurity functions;" SC-3(2)[2] "information flow control from nonsecurity functions;" SC-3(2)[3] "access control from other security functions; and" SC-3(2)[4] "information flow control from other security functions." SYSTEM AND COMMUNICATIONS PROTECTION SC-3(3) MINIMIZE NONSECURITY FUNCTIONALITY "Determine if the organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions." System and communications protection policy;procedures addressing security function isolation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing an isolation boundary System/network administrators;organizational personnel with information security responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-3(4) MODULE COUPLING AND COHESIVENESS "Determine if the organization implements security functions as largely independent modules that:" System and communications protection policy;procedures addressing security function isolation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for maximizing internal cohesiveness within modules and minimizing coupling between modules;automated mechanisms supporting and/or implementing security functions as independent modules System/network administrators;organizational personnel with information security responsibilities SC-3(4)[1] "maximize internal cohesiveness within modules; and" SC-3(4)[2] "minimize coupling between modules." SYSTEM AND COMMUNICATIONS PROTECTION SC-3(5) LAYERED STRUCTURES "Determine if the organization implements security functions as a layered structure:" System and communications protection policy;procedures addressing security function isolation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for implementing security functions as a layered structure that minimizes interactions between layers and avoids dependence by lower layers on functionality/correctness of higher layers;automated mechanisms supporting and/or implementing security functions as a layered structure System/network administrators;organizational personnel with information security responsibilities SC-3(5)[1] "minimizing interactions between layers of the design; and" SC-3(5)[2] "avoiding any dependence by lower layers on the functionality or correctness of higher layers." SYSTEM AND COMMUNICATIONS PROTECTION SC-4 INFORMATION IN SHARED RESOURCES "Determine if the information system prevents unauthorized and unintended information transfer via shared system resources." System and communications protection policy;procedures addressing information protection in shared system resources;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources System/network administrators;organizational personnel with information security responsibilities;system developer SYSTEM AND COMMUNICATIONS PROTECTION SC-4(1) SECURITY LEVELS "[Withdrawn: Incorporated into SC-4]." SYSTEM AND COMMUNICATIONS PROTECTION SC-4(2) PERIODS PROCESSING "Determine if:" System and communications protection policy;procedures addressing information protection in shared system resources;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms preventing unauthorized transfer of information via shared system resources System/network administrators;organizational personnel with information security responsibilities;system developer SC-4(2)[1] "the organization defines procedures to be employed to ensure unauthorized information transfer via shared resources is prevented when system processing explicitly switches between different information classification levels or security categories; and" SC-4(2)[2] "the information system prevents unauthorized information transfer via shared resources in accordance with organization-defined procedures when system processing explicitly switches between different information classification levels or security categories." SYSTEM AND COMMUNICATIONS PROTECTION SC-5 DENIAL OF SERVICE PROTECTION "Determine if:" System and communications protection policy;procedures addressing denial of service protection;information system design documentation;security plan;list of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks;list of security safeguards protecting against or limiting the effects of denial of service attacks;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms protecting against or limiting the effects of denial of service attacks System/network administrators;organizational personnel with information security responsibilities;organizational personnel with incident response responsibilities;system developer SC-5[1] "the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;" SC-5[2] "the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and" SC-5[3] "the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards." SYSTEM AND COMMUNICATIONS PROTECTION SC-5(1) RESTRICT INTERNAL USERS "Determine if:" System and communications protection policy;procedures addressing denial of service protection;information system design documentation;security plan;list of denial of service attacks launched by individuals against information systems;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms restricting the ability to launch denial of service attacks against other information systems System/network administrators;organizational personnel with information security responsibilities;organizational personnel with incident response responsibilities;system developer SC-5(1)[1] "the organization defines denial of service attacks for which the information system is required to restrict the ability of individuals to launch such attacks against other information systems; and" SC-5(1)[2] "the information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems." SYSTEM AND COMMUNICATIONS PROTECTION SC-5(2) EXCESS CAPACITY / BANDWIDTH / REDUNDANCY "Determine if the information system, to limit the effects of information flooding denial of service attacks, manages:" System and communications protection policy;procedures addressing denial of service protection;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing management of information system bandwidth, capacity, and redundancy to limit the effects of information flooding denial of service attacks System/network administrators;organizational personnel with information security responsibilities;organizational personnel with incident response responsibilities;system developer SC-5(2)[1] "excess capacity;" SC-5(2)[2] "bandwidth; or" SC-5(2)[3] "other redundancy." SYSTEM AND COMMUNICATIONS PROTECTION SC-5(3) DETECTION / MONITORING "Determine if the organization:" System and communications protection policy;procedures addressing denial of service protection;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms/tools implementing information system monitoring for denial of service attacks System/network administrators;organizational personnel with information security responsibilities;organizational personnel with detection and monitoring responsibilities SC-5(3)(a) SC-5(3)(a)[1] "defines monitoring tools to be employed to detect indicators of denial of service attacks against the information system;" SC-5(3)(a)[2] "employs organization-defined monitoring tools to detect indicators of denial of service attacks against the information system;" SC-5(3)(b) SC-5(3)(b)[1] "defines information system resources to be monitored to determine if sufficient resources exist to prevent effective denial of service attacks; and" SC-5(3)(b)[2] "monitors organization-defined information system resources to determine if sufficient resources exist to prevent effective denial of service attacks." SYSTEM AND COMMUNICATIONS PROTECTION SC-6 RESOURCE AVAILABILITY "Determine if:" System and communications protection policy;procedures addressing prioritization of information system resources;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing resource allocation capability;safeguards employed to protect availability of resources System/network administrators;organizational personnel with information security responsibilities;system developer SC-6[1] "the organization defines resources to be allocated to protect the availability of resources;" SC-6[2] "the organization defines security safeguards to be employed to protect the availability of resources;" SC-6[3] "the information system protects the availability of resources by allocating organization-defined resources by one or more of the following:" SC-6[3][a] "priority;" SC-6[3][b] "quota; and/or" SC-6[3][c] "organization-defined safeguards." SYSTEM AND COMMUNICATIONS PROTECTION SC-7 BOUNDARY PROTECTION "Determine if the information system:" System and communications protection policy;procedures addressing boundary protection;list of key internal boundaries of the information system;information system design documentation;boundary protection hardware and software;information system configuration settings and associated documentation;enterprise security architecture documentation;information system audit records;other relevant documents or records Automated mechanisms implementing boundary protection capability System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SC-7(a) SC-7(a)[1] "monitors communications at the external boundary of the information system;" SC-7(a)[2] "monitors communications at key internal boundaries within the system;" SC-7(a)[3] "controls communications at the external boundary of the information system;" SC-7(a)[4] "controls communications at key internal boundaries within the system;" SC-7(b) "implements subnetworks for publicly accessible system components that are either:" SC-7(b)[1] "physically separated from internal organizational networks; and/or" SC-7(b)[2] "logically separated from internal organizational networks; and" SC-7(c) "connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(1) PHYSICALLY SEPARATED SUBNETWORKS "[Withdrawn: Incorporated into SC-7]." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(2) PUBLIC ACCESS "[Withdrawn: Incorporated into SC-7]." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(3) ACCESS POINTS "Determine if the organization limits the number of external network connections to the information system." System and communications protection policy;procedures addressing boundary protection;information system design documentation;boundary protection hardware and software;information system architecture and configuration documentation;information system configuration settings and associated documentation;communications and network traffic monitoring logs;information system audit records;other relevant documents or records Automated mechanisms implementing boundary protection capability;automated mechanisms limiting the number of external network connections to the information system System/network administrators;organizational personnel with information security responsibilities;organizational personnel with boundary protection responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-7(4) EXTERNAL TELECOMMUNICATIONS SERVICES "Determine if the organization:" System and communications protection policy;traffic flow policy;information flow control policy;procedures addressing boundary protection;information system security architecture;information system design documentation;boundary protection hardware and software;information system architecture and configuration documentation;information system configuration settings and associated documentation;records of traffic flow policy exceptions;information system audit records;other relevant documents or records Organizational processes for documenting and reviewing exceptions to the traffic flow policy;organizational processes for removing exceptions to the traffic flow policy;automated mechanisms implementing boundary protection capability;managed interfaces implementing traffic flow policy System/network administrators;organizational personnel with information security responsibilities;organizational personnel with boundary protection responsibilities SC-7(4)(a) "implements a managed interface for each external telecommunication service;" SC-7(4)(b) "establishes a traffic flow policy for each managed interface;" SC-7(4)(c) "protects the confidentiality and integrity of the information being transmitted across each interface;" SC-7(4)(d) "documents each exception to the traffic flow policy with:" SC-7(4)(d)[1] "a supporting mission/business need;" SC-7(4)(d)[2] "duration of that need;" SC-7(4)(e) SC-7(4)(e)[1] "defines a frequency to review exceptions to traffic flow policy;" SC-7(4)(e)[2] "reviews exceptions to the traffic flow policy with the organization-defined frequency; and" SC-7(4)(e)[3] "removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need" SYSTEM AND COMMUNICATIONS PROTECTION SC-7(5) DENY BY DEFAULT / ALLOW BY EXCEPTION "Determine if the information system, at managed interfaces:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing traffic management at managed interfaces System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SC-7(5)[1] "denies network traffic by default; and" SC-7(5)[2] "allows network traffic by exception." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(6) RESPONSE TO RECOGNIZED FAILURES "[Withdrawn: Incorporated into SC-7(18)]." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES "Determine if the information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks." System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing boundary protection capability;automated mechanisms supporting/restricting non-remote connections System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-7(8) ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS "Determine if:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing traffic management through authenticated proxy servers at managed interfaces System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SC-7(8)[1] "the organization defines internal communications traffic to be routed to external networks;" SC-7(8)[2] "the organization defines external networks to which organization-defined internal communications traffic is to be routed; and" SC-7(8)[3] "the information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(9) RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC "Determine if the information system:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing boundary protection capability;automated mechanisms implementing detection and denial of threatening outgoing communications traffic;automated mechanisms implementing auditing of outgoing communications traffic System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SC-7(9)(a) SC-7(9)(a)[1] "detects outgoing communications traffic posing a threat to external information systems; and" SC-7(9)(a)[2] "denies outgoing communications traffic posing a threat to external information systems; and" SC-7(9)(b) "audits the identity of internal users associated with denied communications." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(10) PREVENT UNAUTHORIZED EXFILTRATION "Determine if the organization prevents the unauthorized exfiltration of information across managed interfaces." System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing boundary protection capability;preventing unauthorized exfiltration of information across managed interfaces System/network administrators;organizational personnel with information security responsibilities;organizational personnel with boundary protection responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-7(11) RESTRICT INCOMING COMMUNICATIONS TRAFFIC "Determine if:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing boundary protection capabilities with respect to source/destination address pairs System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SC-7(11)[1] "the organization defines internal communications traffic to be routed to external networks;" SC-7(11)[2] "the organization defines authorized destinations only to which that incoming communications from organization-defined authorized sources may be routed; and" SC-7(11)[3] "the information system only allows incoming communications from organization-defined authorized sources to be routed to organization-defined authorized destinations." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(12) HOST-BASED PROTECTION "Determine if the organization:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;boundary protection hardware and software;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing host-based boundary protection capabilities System/network administrators;organizational personnel with information security responsibilities;organizational personnel with boundary protection responsibilities;information system users SC-7(12)[1] "defines host-based boundary protection mechanisms;" SC-7(12)[2] "defines information system components where organization-defined host-based boundary protection mechanisms are to be implemented; and" SC-7(12)[3] "implements organization-defined host-based boundary protection mechanisms at organization-defined information system components." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(13) ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS "Determine if the organization:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;list of security tools and support components to be isolated from other internal information system components;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing isolation of information security tools, mechanisms, and support components System/network administrators;organizational personnel with information security responsibilities;organizational personnel with boundary protection responsibilities SC-7(13)[1] "defines information security tools, mechanisms, and support components to be isolated from other internal information system components; and" SC-7(13)[2] "isolates organization-defined information security tools, mechanisms, and support components from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(14) PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS "Determine if the organization:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;facility communications and wiring diagram;other relevant documents or records Automated mechanisms supporting and/or implementing protection against unauthorized physical connections System/network administrators;organizational personnel with information security responsibilities;organizational personnel with boundary protection responsibilities SC-7(14)[1] "defines managed interfaces to be protected against unauthorized physical connections; and" SC-7(14)[2] "protects against unauthorized physical connections at organization-defined managed interfaces." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(15) ROUTE PRIVILEGED NETWORK ACCESSES "Determine if the information system routes all networked, privileged accesses through a dedicated, managed interface for the purposes of:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;audit logs;other relevant documents or records Automated mechanisms supporting and/or implementing the routing of networked, privileged access through dedicated managed interfaces System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SC-7(15)[1] "access control; and" SC-7(15)[2] "auditing." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(16) PREVENT DISCOVERY OF COMPONENTS / DEVICES "Determine if the information system prevents discovery of specific system components composing a managed interface." System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing the prevention of discovery of system components at managed interfaces System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-7(17) AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS "Determine if the information system enforces adherence to protocol formats." System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system architecture;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing enforcement of adherence to protocol formats System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-7(18) FAIL SECURE "Determine if the information system fails securely in the event of an operational failure of a boundary protection device." System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system architecture;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing secure failure System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-7(19) BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS "Determine if the organization:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;list of communication clients independently configured by end users and external service providers;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing the blocking of inbound and outbound communications traffic between communication clients independently configured by end users and external service providers System/network administrators;organizational personnel with information security responsibilities;organizational personnel with boundary protection responsibilities SC-7(19)[1] "defines communication clients that are independently configured by end users and external service providers; and" SC-7(19)[2] "blocks, between organization-defined communication clients that are independently configured by end users and external service providers,:" SC-7(19)[2][a] "inbound communications traffic; and" SC-7(19)[2][b] "outbound communications traffic." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(20) DYNAMIC ISOLATION / SEGREGATION "Determine if:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;list of information system components to be dynamically isolated/segregated from other components of the system;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing the capability to dynamically isolate/segregate information system components System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SC-7(20)[1] "the organization defines information system components to be dynamically isolated/segregated from other components of the system; and" SC-7(20)[2] "the information system provides the capability to dynamically isolate/segregate organization-defined information system components from other components of the system." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(21) ISOLATION OF INFORMATION SYSTEM COMPONENTS "Determine if the organization:" System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;enterprise architecture documentation;information system architecture;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing the capability to separate information system components supporting organizational missions and/or business functions System/network administrators;organizational personnel with information security responsibilities;organizational personnel with boundary protection responsibilities SC-7(21)[1] "defines information system components to be separated by boundary protection mechanisms;" SC-7(21)[2] "defines missions and/or business functions to be supported by organization-defined information system components separated by boundary protection mechanisms; and" SC-7(21)[3] "employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and/or business functions." SYSTEM AND COMMUNICATIONS PROTECTION SC-7(22) SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS "Determine if the information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains." System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing separate network addresses/different subnets System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-7(23) DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE "Determine if the information system disables feedback to senders on protocol format validation failure." System and communications protection policy;procedures addressing boundary protection;information system design documentation;information system hardware and software;information system architecture;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing the disabling of feedback to senders on protocol format validation failure System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with boundary protection responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY "Determine if the information system protects one or more of the following:" System and communications protection policy;procedures addressing transmission confidentiality and integrity;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing transmission confidentiality and/or integrity System/network administrators;organizational personnel with information security responsibilities;system developer SC-8[1] "confidentiality of transmitted information; and/or" SC-8[2] "integrity of transmitted information." SYSTEM AND COMMUNICATIONS PROTECTION SC-8(1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION "Determine if:" System and communications protection policy;procedures addressing transmission confidentiality and integrity;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity;automated mechanisms supporting and/or implementing alternative physical safeguards;organizational processes for defining and implementing alternative physical safeguards System/network administrators;organizational personnel with information security responsibilities;system developer SC-8(1)[1] "the organization defines physical safeguards to be implemented to protect information during transmission when cryptographic mechanisms are not implemented; and" SC-8(1)[2] "the information system implements cryptographic mechanisms to do one or more of the following during transmission unless otherwise protected by organization-defined alternative physical safeguards:" SC-8(1)[2][a] "prevent unauthorized disclosure of information; and/or" SC-8(1)[2][b] "detect changes to information." SYSTEM AND COMMUNICATIONS PROTECTION SC-8(2) PRE / POST TRANSMISSION HANDLING "Determine if the information system maintains one or more of the following:" System and communications protection policy;procedures addressing transmission confidentiality and integrity;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing transmission confidentiality and/or integrity System/network administrators;organizational personnel with information security responsibilities;system developer SC-8(2)[1] "confidentiality of information during preparation for transmission;" SC-8(2)[2] "confidentiality of information during reception; and/or" SC-8(2)[3] "integrity of information during preparation for transmission;" SC-8(2)[4] "integrity of information during reception." SYSTEM AND COMMUNICATIONS PROTECTION SC-8(3) CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS "Determine if:" System and communications protection policy;procedures addressing transmission confidentiality and integrity;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity for message externals;automated mechanisms supporting and/or implementing alternative physical safeguards;organizational processes for defining and implementing alternative physical safeguards System/network administrators;organizational personnel with information security responsibilities;system developer SC-8(3)[1] "the organization defines alternative physical safeguards to be implemented to protect message externals; and" SC-8(3)[2] "the information system implements cryptographic mechanisms to protect message externals unless otherwise protected by organization-defined alternative physical safeguards." SYSTEM AND COMMUNICATIONS PROTECTION SC-8(4) CONCEAL / RANDOMIZE COMMUNICATIONS "Determine if:" System and communications protection policy;procedures addressing transmission confidentiality and integrity;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Cryptographic mechanisms supporting and/or implementing concealment or randomization of communications patterns;automated mechanisms supporting and/or implementing alternative physical safeguards;organizational processes for defining and implementing alternative physical safeguards System/network administrators;organizational personnel with information security responsibilities;system developer SC-8(4)[1] "the organization defines alternative physical safeguards to be implemented to protect against unauthorized disclosure of communication patterns;" SC-8(4)[2] "the information system, unless otherwise protected by organization-defined alternative physical safeguards, implements cryptographic mechanisms to:" SC-8(4)[2][a] "conceal communication patterns; or" SC-8(4)[2][b] "randomize communication patterns." SYSTEM AND COMMUNICATIONS PROTECTION SC-9 TRANSMISSION CONFIDENTIALITY "[Withdrawn: Incorporated into SC-8]." SYSTEM AND COMMUNICATIONS PROTECTION SC-10 NETWORK DISCONNECT "Determine if:" System and communications protection policy;procedures addressing network disconnect;information system design documentation;security plan;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing network disconnect capability System/network administrators;organizational personnel with information security responsibilities;system developer SC-10[1] "the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session; and" SC-10[2] "the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity." SYSTEM AND COMMUNICATIONS PROTECTION SC-11 TRUSTED PATH "Determine if:" System and communications protection policy;procedures addressing trusted communications paths;security plan;information system design documentation;information system configuration settings and associated documentation;assessment results from independent, testing organizations;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing trusted communications paths System/network administrators;organizational personnel with information security responsibilities;system developer SC-11[1] "the organization defines security functions of the information system;" SC-11[2] "the organization-defined security functions include at a minimum, information system authentication and re-authentication; and" SC-11[3] "the information system establishes a trusted communications path between the user and the organization-defined security functions of the system." SYSTEM AND COMMUNICATIONS PROTECTION SC-11(1) LOGICAL ISOLATION "Determine if the information system provides a trusted communications path that is:" System and communications protection policy;procedures addressing trusted communications paths;security plan;information system design documentation;information system configuration settings and associated documentation;assessment results from independent, testing organizations;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing trusted communications paths System/network administrators;organizational personnel with information security responsibilities;system developer SC-11(1)[1] "logically isolated; and" SC-11(1)[2] "distinguishable from other paths." SYSTEM AND COMMUNICATIONS PROTECTION SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT "Determine if the organization:" System and communications protection policy;procedures addressing cryptographic key establishment and management;information system design documentation;cryptographic mechanisms;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing cryptographic key establishment and management System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for cryptographic key establishment and/or management SC-12[1] "defines requirements for cryptographic key:" SC-12[1][a] "generation;" SC-12[1][b] "distribution;" SC-12[1][c] "storage;" SC-12[1][d] "access;" SC-12[1][e] "destruction; and" SC-12[2] "establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction." SYSTEM AND COMMUNICATIONS PROTECTION SC-12(1) AVAILABILITY "Determine if the organization maintains availability of information in the event of the loss of cryptographic keys by users." System and communications protection policy;procedures addressing cryptographic key establishment, management, and recovery;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing cryptographic key establishment and management System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for cryptographic key establishment or management SYSTEM AND COMMUNICATIONS PROTECTION SC-12(2) SYMMETRIC KEYS "Determine if the organization produces, controls, and distributes symmetric cryptographic keys using one of the following: " System and communications protection policy;procedures addressing cryptographic key establishment and management;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of FIPS validated cryptographic products;list of NSA-approved cryptographic products;other relevant documents or records Automated mechanisms supporting and/or implementing symmetric cryptographic key establishment and management System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with responsibilities for cryptographic key establishment or management SC-12(2)[1] "NIST FIPS-compliant key management technology and processes; or" SC-12(2)[2] "NSA-approved key management technology and processes." SYSTEM AND COMMUNICATIONS PROTECTION SC-12(3) ASYMMETRIC KEYS "Determine if the organization produces, controls, and distributes asymmetric cryptographic keys using one of the following: " System and communications protection policy;procedures addressing cryptographic key establishment and management;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of NSA-approved cryptographic products;list of approved PKI Class 3 and Class 4 certificates;other relevant documents or records Automated mechanisms supporting and/or implementing asymmetric cryptographic key establishment and management System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with responsibilities for cryptographic key establishment or management;organizational personnel with responsibilities for PKI certificates SC-12(3)[1] "NSA-approved key management technology and processes;" SC-12(3)[2] "approved PKI Class 3 certificates or prepositioned keying material; or" SC-12(3)[3] "approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key." SYSTEM AND COMMUNICATIONS PROTECTION SC-12(4) PKI CERTIFICATES "[Withdrawn: Incorporated into SC-12]." SYSTEM AND COMMUNICATIONS PROTECTION SC-12(5) PKI CERTIFICATES / HARDWARE TOKENS "[Withdrawn: Incorporated into SC-12]." SYSTEM AND COMMUNICATIONS PROTECTION SC-13 CRYPTOGRAPHIC PROTECTION "Determine if:" System and communications protection policy;procedures addressing cryptographic protection;information system design documentation;information system configuration settings and associated documentation;cryptographic module validation certificates;list of FIPS validated cryptographic modules;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing cryptographic protection System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with responsibilities for cryptographic protection SC-13[1] "the organization defines cryptographic uses; and" SC-13[2] "the organization defines the type of cryptography required for each use; and" SC-13[3] "the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." SYSTEM AND COMMUNICATIONS PROTECTION SC-13(1) FIPS-VALIDATED CRYPTOGRAPHY "[Withdrawn: Incorporated into SC-13]." SYSTEM AND COMMUNICATIONS PROTECTION SC-13(2) NSA-APPROVED CRYPTOGRAPHY "[Withdrawn: Incorporated into SC-13]." SYSTEM AND COMMUNICATIONS PROTECTION SC-13(3) INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS "[Withdrawn: Incorporated into SC-13]." SYSTEM AND COMMUNICATIONS PROTECTION SC-13(4) DIGITAL SIGNATURES "[Withdrawn: Incorporated into SC-13]." SYSTEM AND COMMUNICATIONS PROTECTION SC-14 PUBLIC ACCESS PROTECTIONS "[Withdrawn: Capability provided by AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, SI-10]." SYSTEM AND COMMUNICATIONS PROTECTION SC-15 COLLABORATIVE COMPUTING DEVICES "Determine if:" System and communications protection policy;procedures addressing collaborative computing;access control policy and procedures;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing management of remote activation of collaborative computing devices;automated mechanisms providing an indication of use of collaborative computing devices System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with responsibilities for managing collaborative computing devices SC-15(a) SC-15(a)[1] "the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;" SC-15(a)[2] "the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and" SC-15(b) "the information system provides an explicit indication of use to users physically present at the devices." SYSTEM AND COMMUNICATIONS PROTECTION SC-15(1) PHYSICAL DISCONNECT "Determine if the information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use." System and communications protection policy;procedures addressing collaborative computing;access control policy and procedures;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing physical disconnect of collaborative computing devices System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with responsibilities for managing collaborative computing devices SYSTEM AND COMMUNICATIONS PROTECTION SC-15(2) BLOCKING INBOUND / OUTBOUND COMMUNICATIONS TRAFFIC "[Withdrawn: Incorporated into SC-7]." SYSTEM AND COMMUNICATIONS PROTECTION SC-15(3) DISABLING / REMOVAL IN SECURE WORK AREAS "Determine if the organization:" System and communications protection policy;procedures addressing collaborative computing;access control policy and procedures;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of secure work areas;information systems or information system components in secured work areas where collaborative computing devices are to be disabled or removed;other relevant documents or records Automated mechanisms supporting and/or implementing the capability to disable collaborative computing devices System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for managing collaborative computing devices SC-15(3)[1] "defines information systems or information system components from which collaborative computing devices are to be disabled or removed;" SC-15(3)[2] "defines secure work areas where collaborative computing devices are to be disabled or removed from information systems or information system components placed in such work areas; and" SC-15(3)[3] "disables or removes collaborative computing devices from organization-defined information systems or information system components in organization-defined secure work areas." SYSTEM AND COMMUNICATIONS PROTECTION SC-15(4) EXPLICITLY INDICATE CURRENT PARTICIPANTS "Determine if:" System and communications protection policy;procedures addressing collaborative computing;access control policy and procedures;information system design documentation;information system configuration settings and associated documentation;information system audit records;list of types of meetings and teleconferences requiring explicit indication of current participants;other relevant documents or records Automated mechanisms supporting and/or implementing the capability to indicate participants on collaborative computing devices System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for managing collaborative computing devices SC-15(4)[1] "the organization defines online meetings and teleconferences for which an explicit indication of current participants is to be provided; and" SC-15(4)[2] "the information system provides an explicit indication of current participants in organization-defined meetings and teleconferences." SYSTEM AND COMMUNICATIONS PROTECTION SC-16 TRANSMISSION OF SECURITY ATTRIBUTES "Determine if:" System and communications protection policy;procedures addressing transmission of security attributes;access control policy and procedures;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing transmission of security attributes between information systems System/network administrators;organizational personnel with information security responsibilities SC-16[1] "the organization defines security attributes to be associated with information exchanged:" SC-16[1][a] "between information systems;" SC-16[1][b] "between system components;" SC-16[2] "the information system associates organization-defined security attributes with information exchanged:" SC-16[2][a] "between information systems; and" SC-16[2][b] "between system components." SYSTEM AND COMMUNICATIONS PROTECTION SC-16(1) INTEGRITY VALIDATION "Determine if the information system validates the integrity of transmitted security attributes." System and communications protection policy;procedures addressing transmission of security attributes;access control policy and procedures;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing validation of the integrity of transmitted security attributes System/network administrators;organizational personnel with information security responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES "Determine if the organization:" System and communications protection policy;procedures addressing public key infrastructure certificates;public key certificate policy or policies;public key issuing process;other relevant documents or records Automated mechanisms supporting and/or implementing the management of public key infrastructure certificates System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for issuing public key certificates;service providers SC-17[1] "defines a certificate policy for issuing public key certificates;" SC-17[2] "issues public key certificates:" SC-17[2][a] "under an organization-defined certificate policy: or" SC-17[2][b] "obtains public key certificates from an approved service provider." SYSTEM AND COMMUNICATIONS PROTECTION SC-18 MOBILE CODE "Determine if the organization:" System and communications protection policy;procedures addressing mobile code;mobile code usage restrictions, mobile code implementation policy and procedures;list of acceptable mobile code and mobile code technologies;list of unacceptable mobile code and mobile technologies;authorization records;information system monitoring records;information system audit records;other relevant documents or records Organizational process for controlling, authorizing, monitoring, and restricting mobile code;automated mechanisms supporting and/or implementing the management of mobile code;automated mechanisms supporting and/or implementing the monitoring of mobile code System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for managing mobile code SC-18(a) "defines acceptable and unacceptable mobile code and mobile code technologies;" SC-18(b) SC-18(b)[1] "establishes usage restrictions for acceptable mobile code and mobile code technologies;" SC-18(b)[2] "establishes implementation guidance for acceptable mobile code and mobile code technologies;" SC-18(c) SC-18(c)[1] "authorizes the use of mobile code within the information system;" SC-18(c)[2] "monitors the use of mobile code within the information system; and" SC-18(c)[3] "controls the use of mobile code within the information system." SYSTEM AND COMMUNICATIONS PROTECTION SC-18(1) IDENTIFY UNACCEPTABLE CODE / TAKE CORRECTION ACTIONS "Determine if:" System and communications protection policy;procedures addressing mobile code;mobile code usage restrictions, mobile code implementation policy and procedures;information system design documentation;information system configuration settings and associated documentation;list of unacceptable mobile code;list of corrective actions to be taken when unacceptable mobile code is identified;information system monitoring records;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing mobile code detection, inspection, and corrective capability System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with responsibilities for managing mobile code SC-18(1)[1] "the organization defines unacceptable mobile code to be identified by the information system;" SC-18(1)[2] "the organization defines correctives actions to be taken when the information system identifies organization-defined unacceptable mobile code;" SC-18(1)[3] "the information system:" SC-18(1)[3][a] "identifies organization-defined unacceptable mobile code; and" SC-18(1)[3][b] "takes organization-defined corrective actions." SYSTEM AND COMMUNICATIONS PROTECTION SC-18(2) ACQUISITION / DEVELOPMENT / USE "Determine if the organization:" System and communications protection policy;procedures addressing mobile code;mobile code requirements;mobile code usage restrictions, mobile code implementation policy and procedures;acquisition documentation;acquisition contracts for information system, system component, or information system service;system development life cycle documentation;other relevant documents or records Organizational processes for the acquisition, development, and use of mobile code System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for managing mobile code;organizational personnel with acquisition and contracting responsibilities SC-18(2)[1] "defines requirements for:" SC-18(2)[1][a] "the acquisition of mobile code;" SC-18(2)[1][b] "the development of mobile code;" SC-18(2)[1][c] "the use of mobile code; and" SC-18(2)[2] "ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets organization-defined mobile code requirements." SYSTEM AND COMMUNICATIONS PROTECTION SC-18(3) PREVENT DOWNLOADING / EXECUTION "Determine if:" System and communications protection policy;procedures addressing mobile code;mobile code usage restrictions, mobile code implementation policy and procedures;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms preventing download and execution of unacceptable mobile code System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with responsibilities for managing mobile code SC-18(3)[1] "the organization defines unacceptable mobile code to be prevented from downloading and execution;" SC-18(3)[2] "the information system prevents the:" SC-18(3)[2][a] "download of organization-defined unacceptable mobile code; and" SC-18(3)[2][b] "execution of organization-defined unacceptable mobile code." SYSTEM AND COMMUNICATIONS PROTECTION SC-18(4) PREVENT AUTOMATIC EXECUTION "Determine if:" System and communications protection policy;procedures addressing mobile code;mobile code usage restrictions;mobile code implementation policy and procedures;information system design documentation;information system configuration settings and associated documentation;list of software applications for which automatic execution of mobile code must be prohibited;list of actions required before execution of mobile code;other relevant documents or records Automated mechanisms preventing automatic execution of unacceptable mobile code;automated mechanisms enforcing actions to be taken prior to the execution of the mobile code System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with responsibilities for managing mobile code SC-18(4)[1] "the organization defines software applications in which the automatic execution of mobile code is to be prohibited;" SC-18(4)[2] "the organization defines actions to be enforced by the information system prior to executing mobile code;" SC-18(4)[3] "the information system prevents the automatic execution of mobile code in the organization-defined software applications; and" SC-18(4)[4] "the information system enforces organization-defined actions prior to executing the code." SYSTEM AND COMMUNICATIONS PROTECTION SC-18(5) ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS "Determine if the organization allows execution of permitted mobile code only in confined virtual machine environments." System and communications protection policy;procedures addressing mobile code;mobile code usage allowances;mobile code usage restrictions;information system design documentation;information system configuration settings and associated documentation;list of confined virtual machine environments for which execution of organizationally-acceptable mobile code is allowed;information system audit records;other relevant documents or records Automated mechanisms allowing execution of permitted mobile code in confined virtual machine environments System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel with responsibilities for managing mobile code SYSTEM AND COMMUNICATIONS PROTECTION SC-19 VOICE OVER INTERNET PROTOCOL "Determine if the organization:" System and communications protection policy;procedures addressing VoIP;VoIP usage restrictions;VoIP implementation guidance;information system design documentation;information system configuration settings and associated documentation;information system monitoring records;information system audit records;other relevant documents or records Organizational process for authorizing, monitoring, and controlling VoIP;automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling VoIP System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for managing VoIP SC-19(a) SC-19(a)[1] "establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;" SC-19(a)[2] "establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;" SC-19(b) SC-19(b)[1] "authorizes the use of VoIP within the information system;" SC-19(b)[2] "monitors the use of VoIP within the information system; and" SC-19(b)[3] "controls the use of VoIP within the information system." SYSTEM AND COMMUNICATIONS PROTECTION SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) "Determine if the information system:" System and communications protection policy;procedures addressing secure name/address resolution service (authoritative source);information system design documentation;information system configuration settings and associated documentation;other relevant documents or records Automated mechanisms supporting and/or implementing secure name/address resolution service System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for managing DNS SC-20(a) "provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries;" SC-20(b) "provides the means to, when operating as part of a distributed, hierarchical namespace:" SC-20(b)[1] "indicate the security status of child zones; and" SC-20(b)[2] "enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services)." SYSTEM AND COMMUNICATIONS PROTECTION SC-20(1) CHILD SUBSPACES "[Withdrawn: Incorporated into SC-20]." SYSTEM AND COMMUNICATIONS PROTECTION SC-20(2) DATA ORIGIN / DATA INTEGRITY "Determine if the information system provides data origin and integrity protection artifacts for internal name/address resolution queries." System and communications protection policy;procedures addressing secure name/address resolution service (authoritative source);information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing data origin and integrity protection for internal name/address resolution service queries System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for managing DNS SYSTEM AND COMMUNICATIONS PROTECTION SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) "Determine if the information system: " System and communications protection policy;procedures addressing secure name/address resolution service (recursive or caching resolver);information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for managing DNS SC-21[1] "requests data origin authentication on the name/address resolution responses the system receives from authoritative sources;" SC-21[2] "requests data integrity verification on the name/address resolution responses the system receives from authoritative sources;" SC-21[3] "performs data origin authentication on the name/address resolution responses the system receives from authoritative sources; and" SC-21[4] "performs data integrity verification on the name/address resolution responses the system receives from authoritative sources." SYSTEM AND COMMUNICATIONS PROTECTION SC-21(1) DATA ORIGIN / INTEGRITY "[Withdrawn: Incorporated into SC-21]." SYSTEM AND COMMUNICATIONS PROTECTION SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE "Determine if the information systems that collectively provide name/address resolution service for an organization: " System and communications protection policy;procedures addressing architecture and provisioning for name/address resolution service;access control policy and procedures;information system design documentation;assessment results from independent, testing organizations;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing name/address resolution service for fault tolerance and role separation System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for managing DNS SC-22[1] "are fault tolerant; and" SC-22[2] "implement internal/external role separation." SYSTEM AND COMMUNICATIONS PROTECTION SC-23 SESSION AUTHENTICITY "Determine if the information system protects the authenticity of communications sessions." System and communications protection policy;procedures addressing session authenticity;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing session authenticity System/network administrators;organizational personnel with information security responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-23(1) INVALIDATE SESSION IDENTIFIERS AT LOGOUT "Determine if the information system invalidates session identifiers upon user logout or other session termination." System and communications protection policy;procedures addressing session authenticity;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing session identifier invalidation upon session termination System/network administrators;organizational personnel with information security responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-23(2) USER-INITIATED LOGOUTS / MESSAGE DISPLAYS "[Withdrawn: Incorporated into AC-12(1)]." SYSTEM AND COMMUNICATIONS PROTECTION SC-23(3) UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION "Determine if:" System and communications protection policy;procedures addressing session authenticity;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing generating and monitoring unique session identifiers;automated mechanisms supporting and/or implementing randomness requirements System/network administrators;organizational personnel with information security responsibilities SC-23(3)[1] "the organization defines randomness requirements for generating a unique session identifier for each session;" SC-23(3)[2] "the information system generates a unique session identifier for each session with organization-defined randomness requirements; and" SC-23(3)[3] "the information system recognizes only session identifiers that are system-generated." SYSTEM AND COMMUNICATIONS PROTECTION SC-23(4) UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION "[Withdrawn: Incorporated into SC-23(3)]." SYSTEM AND COMMUNICATIONS PROTECTION SC-23(5) ALLOWED CERTIFICATE AUTHORITIES "Determine if:" System and communications protection policy;procedures addressing session authenticity;information system design documentation;information system configuration settings and associated documentation;list of certificate authorities allowed for verification of the establishment of protected sessions;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing management of certificate authorities System/network administrators;organizational personnel with information security responsibilities SC-23(5)[1] "the organization defines certificate authorities to be allowed for verification of the establishment of protected sessions; and" SC-23(5)[2] "the information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions." SYSTEM AND COMMUNICATIONS PROTECTION SC-24 FAIL IN KNOWN STATE "Determine if:" System and communications protection policy;procedures addressing information system failure to known state;information system design documentation;information system configuration settings and associated documentation;list of failures requiring information system to fail in a known state;state information to be preserved in system failure;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing fail-in-known state capability;automated mechanisms preserving system state information in the event of a system failure System/network administrators;organizational personnel with information security responsibilities;system developer SC-24[1] "the organization defines a known-state to which the information system is to fail in the event of a system failure;" SC-24[2] "the organization defines types of failures for which the information system is to fail to an organization-defined known-state;" SC-24[3] "the organization defines system state information to be preserved in the event of a system failure;" SC-24[4] "the information system fails to the organization-defined known-state for organization-defined types of failures; and" SC-24[5] "the information system preserves the organization-defined system state information in the event of a system failure." SYSTEM AND COMMUNICATIONS PROTECTION SC-25 THIN NODES "Determine if the organization:" System and communications protection policy;procedures addressing use of thin nodes;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing thin nodes System/network administrators;organizational personnel with information security responsibilities SC-25[1] "defines information system components to be employed with minimal functionality and information storage; and" SC-25[2] "employs organization-defined information system components with minimal functionality and information storage." SYSTEM AND COMMUNICATIONS PROTECTION SC-26 HONEY POTS "Determine if the information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks." System and communications protection policy;procedures addressing use of honeypots;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing honey pots System/network administrators;organizational personnel with information security responsibilities;system developer SYSTEM AND COMMUNICATIONS PROTECTION SC-26(1) DETECTION OF MALICIOUS CODE "[Withdrawn: Incorporated into SC-35]." SYSTEM AND COMMUNICATIONS PROTECTION SC-27 PLATFORM-INDEPENDENT APPLICATIONS "Determine if:" System and communications protection policy;procedures addressing platform-independent applications;information system design documentation;information system configuration settings and associated documentation;list of platform-independent applications;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing platform-independent applications System/network administrators;organizational personnel with information security responsibilities;system developer SC-27[1] "the organization defines platform-independent applications; and" SC-27[2] "the information system includes organization-defined platform-independent applications." SYSTEM AND COMMUNICATIONS PROTECTION SC-28 PROTECTION OF INFORMATION AT REST "Determine if:" System and communications protection policy;procedures addressing protection of information at rest;information system design documentation;information system configuration settings and associated documentation;cryptographic mechanisms and associated configuration documentation;list of information at rest requiring confidentiality and integrity protections;other relevant documents or records Automated mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest System/network administrators;organizational personnel with information security responsibilities;system developer SC-28[1] "the organization defines information at rest requiring one or more of the following:" SC-28[1][a] "confidentiality protection; and/or" SC-28[1][b] "integrity protection;" SC-28[2] "the information system protects:" SC-28[2][a] "the confidentiality of organization-defined information at rest; and/or" SC-28[2][b] "the integrity of organization-defined information at rest." SYSTEM AND COMMUNICATIONS PROTECTION SC-28(1) CRYPTOGRAPHIC PROTECTIONS "Determine if:" System and communications protection policy;procedures addressing protection of information at rest;information system design documentation;information system configuration settings and associated documentation;cryptographic mechanisms and associated configuration documentation;information system audit records;other relevant documents or records Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest System/network administrators;organizational personnel with information security responsibilities;system developer SC-28(1)[1] "the organization defines information requiring cryptographic protection;" SC-28(1)[2] "the organization defines information system components with organization-defined information requiring cryptographic protection; and" SC-28(1)[3] "the information system employs cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information on organization-defined information system components." SYSTEM AND COMMUNICATIONS PROTECTION SC-28(2) OFF-LINE STORAGE "Determine if the organization:" System and communications protection policy;procedures addressing protection of information at rest;information system design documentation;information system configuration settings and associated documentation;cryptographic mechanisms and associated configuration documentation;off-line storage locations for information at rest;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing removal of information from online storage;automated mechanisms supporting and/or implementing storage of information off-line System/network administrators;organizational personnel with information security responsibilities SC-28(2)[1] "defines information to be removed from online storage and stored off-line in a secure location; and" SC-28(2)[2] "removes organization-defined information from online storage; and" SC-28(2)[3] "stores such information off-line in a secure location." SYSTEM AND COMMUNICATIONS PROTECTION SC-29 HETEROGENEITY "Determine if the organization:" System and communications protection policy;information system design documentation;information system configuration settings and associated documentation;list of technologies deployed in the information system;acquisition documentation;acquisition contracts for information system components or services;other relevant documents or records Automated mechanisms supporting and/or implementing employment of a diverse set of information technologies System/network administrators;organizational personnel with information security responsibilities;organizational personnel with information system acquisition, development, and implementation responsibilities SC-29[1] "defines information system components requiring a diverse set of information technologies to be employed in the implementation of the information system; and" SC-29[2] "employs a diverse set of information technologies for organization-defined information system components in the implementation of the information system." SYSTEM AND COMMUNICATIONS PROTECTION SC-29(1) VIRTUALIZATION TECHNIQUES "Determine if the organization:" System and communications protection policy;configuration management policy and procedures;information system design documentation;information system configuration settings and associated documentation;information system architecture;list of operating systems and applications deployed using virtualization techniques;change control records;configuration management records;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing employment of a diverse set of information technologies;automated mechanisms supporting and/or implementing virtualization techniques System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibilities for implementing approved virtualization techniques to the information system SC-29(1)[1] "defines a frequency to change the diversity of operating systems and applications deployed using virtualization techniques; and" SC-29(1)[2] "employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed with the organization-defined frequency." SYSTEM AND COMMUNICATIONS PROTECTION SC-30 CONCEALMENT AND MISDIRECTION "Determine if the organization:" System and communications protection policy;procedures addressing concealment and misdirection techniques for the information system;information system design documentation;information system configuration settings and associated documentation;information system architecture;list of concealment and misdirection techniques to be employed for organizational information systems;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing concealment and misdirection techniques System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibility for implementing concealment and misdirection techniques for information systems SC-30[1] "defines concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting organizational information systems;" SC-30[2] "defines information systems for which organization-defined concealment and misdirection techniques are to be employed;" SC-30[3] "defines time periods to employ organization-defined concealment and misdirection techniques for organization-defined information systems; and" SC-30[4] "employs organization-defined concealment and misdirection techniques for organization-defined information systems at organization-defined time periods to confuse and mislead adversaries." SYSTEM AND COMMUNICATIONS PROTECTION SC-30(1) VIRTUALIZATION TECHNIQUES "[Withdrawn: Incorporated into SC-29(1)]." SYSTEM AND COMMUNICATIONS PROTECTION SC-30(2) RANDOMNESS "Determine if the organization:" System and communications protection policy;procedures addressing concealment and misdirection techniques for the information system;information system design documentation;information system configuration settings and associated documentation;information system architecture;list of techniques to be employed to introduce randomness into organizational operations and assets;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing randomness as a concealment and misdirection technique System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibility for implementing concealment and misdirection techniques for information systems SC-30(2)[1] "defines techniques to be employed to introduce randomness into organizational operations and assets; and" SC-30(2)[2] "employs organization-defined techniques to introduce randomness into organizational operations and assets." SYSTEM AND COMMUNICATIONS PROTECTION SC-30(3) CHANGE PROCESSING / STORAGE LOCATIONS "Determine if the organization:" System and communications protection policy;configuration management policy and procedures;procedures addressing concealment and misdirection techniques for the information system;list of processing/storage locations to be changed at organizational time intervals;change control records;configuration management records;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing changing processing and/or storage locations System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibility for changing processing and/or storage locations SC-30(3)[1] "defines processing and/or storage locations to be changed at time intervals specified by the organization;" SC-30(3)[2] "defines a frequency to change the location of organization-defined processing and/or storage; and" SC-30(3)[3] "changes the location of organization-defined processing and/or storage at one of the following:" SC-30(3)[3][a] "organization-defined time intervals; or" SC-30(3)[3][b] "random time intervals." SYSTEM AND COMMUNICATIONS PROTECTION SC-30(4) MISLEADING INFORMATION "Determine if the organization:" System and communications protection policy;configuration management policy and procedures;procedures addressing concealment and misdirection techniques for the information system;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing employment of realistic, but misleading information about the security posture of information system components System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibility for defining and employing realistic, but misleading information about the security posture of information system components SC-30(4)[1] "defines information system components in which to employ realistic, but misleading information regarding its security state or posture; and" SC-30(4)[2] "employs realistic, but misleading information in organization-defined information system components with regard to its security state or posture." SYSTEM AND COMMUNICATIONS PROTECTION SC-30(5) CONCEALMENT OF SYSTEM COMPONENTS "Determine if the organization:" System and communications protection policy;configuration management policy and procedures;procedures addressing concealment and misdirection techniques for the information system;information system design documentation;information system configuration settings and associated documentation;list of techniques employed to hide or conceal information system components;list of information system components to be hidden or concealed;other relevant documents or records Automated mechanisms supporting and/or implementing techniques for concealment of system components System/network administrators;organizational personnel with information security responsibilities;organizational personnel with responsibility for concealment of system components SC-30(5)[1] "defines techniques to be employed to hide or conceal information system components;" SC-30(5)[2] "defines information system components to be hidden or concealed using organization-defined techniques; and" SC-30(5)[3] "employs organization-defined techniques to hide or conceal organization-defined information system components." SYSTEM AND COMMUNICATIONS PROTECTION SC-31 COVERT CHANNEL ANALYSIS "Determine if the organization:" System and communications protection policy;procedures addressing covert channel analysis;information system design documentation;information system configuration settings and associated documentation;covert channel analysis documentation;information system audit records;other relevant documents or records Organizational process for conducting covert channel analysis;automated mechanisms supporting and/or implementing covert channel analysis;automated mechanisms supporting and/or implementing the capability to estimate the bandwidth of covert channels System/network administrators;organizational personnel with information security responsibilities;organizational personnel with covert channel analysis responsibilities;information system developers/integrators SC-31(a) "performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for one or more of the following:" SC-31(a)[1] "covert storage channels; and/or" SC-31(a)[2] "covert timing channels; and" SC-31(b) "estimates the maximum bandwidth of those channels." SYSTEM AND COMMUNICATIONS PROTECTION SC-31(1) TEST COVERT CHANNELS FOR EXPLOITABILITY "Determine if the organization tests a subset of identified covert channels to determine which channels are exploitable." System and communications protection policy;procedures addressing covert channel analysis;information system design documentation;information system configuration settings and associated documentation;list of covert channels;covert channel analysis documentation;information system audit records;other relevant documents or records Organizational process for testing covert channels;automated mechanisms supporting and/or implementing testing of covert channels analysis System/network administrators;organizational personnel with information security responsibilities;organizational personnel with covert channel analysis responsibilities SYSTEM AND COMMUNICATIONS PROTECTION SC-31(2) MAXIMUM BANDWIDTH "Determine if the organization:" System and communications protection policy;procedures addressing covert channel analysis;acquisition contracts for information systems or services;acquisition documentation;information system design documentation;information system configuration settings and associated documentation;covert channel analysis documentation;information system audit records;other relevant documents or records Organizational process for conducting covert channel analysis;automated mechanisms supporting and/or implementing covert channel analysis;automated mechanisms supporting and/or implementing the capability to reduce the bandwidth of covert channels System/network administrators;organizational personnel with information security responsibilities;organizational personnel with covert channel analysis responsibilities;information system developers/integrators SC-31(2)[1] "defines values to be employed as the maximum bandwidth allowed for identified covert channels; and" SC-31(2)[2] "reduces the maximum bandwidth to organization-defined values for one or more of the following identified:" SC-31(2)[2][a] "covert storage channels; and/or" SC-31(2)[2][b] "covert timing channels." SYSTEM AND COMMUNICATIONS PROTECTION SC-31(3) MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS "Determine if the organization:" System and communications protection policy;procedures addressing covert channel analysis;information system design documentation;information system configuration settings and associated documentation;covert channel analysis documentation;information system audit records;other relevant documents or records Organizational process for conducting covert channel analysis;automated mechanisms supporting and/or implementing covert channel analysis;automated mechanisms supporting and/or implementing the capability to measure the bandwidth of covert channels System/network administrators;organizational personnel with information security responsibilities;organizational personnel with covert channel analysis responsibilities;information system developers/integrators SC-31(3)[1] "defines subset of identified covert channels whose bandwidth is to be measured in the operational environment of the information system; and" SC-31(3)[2] "measures the bandwidth of the organization-defined subset of identified covert channels in the operational environment of the information system." SYSTEM AND COMMUNICATIONS PROTECTION SC-32 INFORMATION SYSTEM PARTITIONING "Determine if the organization:" System and communications protection policy;procedures addressing information system partitioning;information system design documentation;information system configuration settings and associated documentation;information system architecture;list of information system physical domains (or environments);information system facility diagrams;information system network diagrams;other relevant documents or records Automated mechanisms supporting and/or implementing physical separation of information system components System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;information system developers/integrators SC-32[1] "defines circumstances for physical separation of information system components into information system partitions;" SC-32[2] "defines information system components to reside in separate physical domains or environments based on organization-defined circumstances for physical separation of components; and" SC-32[3] "partitions the information system into organization-defined information system components residing in separate physical domains or environments based on organization-defined circumstances for physical separation of components." SYSTEM AND COMMUNICATIONS PROTECTION SC-33 TRANSMISSION PREPARATION INTEGRITY "[Withdrawn: Incorporated into SC-8]." SYSTEM AND COMMUNICATIONS PROTECTION SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS "Determine if:" System and communications protection policy;procedures addressing non-modifiable executable programs;information system design documentation;information system configuration settings and associated documentation;information system architecture;list of operating system components to be loaded from hardware-enforced, read-only media;list of applications to be loaded from hardware-enforced, read-only media;media used to load and execute information system operating environment;media used to load and execute information system applications;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing loading and executing the operating environment from hardware-enforced, read-only media;automated mechanisms supporting and/or implementing loading and executing applications from hardware-enforced, read-only media System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;information system developers/integrators SC-34[1] "the organization defines information system components for which the operating environment and organization-defined applications are to be loaded and executed from hardware-enforced, read-only media;" SC-34[2] "the organization defines applications to be loaded and executed from hardware-enforced, read-only media;" SC-34[3] "the information system, at organization-defined information system components:" SC-34[3](a) "loads and executes the operating environment from hardware-enforced, read-only media; and" SC-34[3](b) "loads and executes organization-defined applications from hardware-enforced, read-only media." SYSTEM AND COMMUNICATIONS PROTECTION SC-34(1) NO WRITABLE STORAGE "Determine if the organization:" System and communications protection policy;procedures addressing non-modifiable executable programs;information system design documentation;information system configuration settings and associated documentation;information system architecture;list of information system components to be employed without writeable storage capability;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing employment of components with no writeable storage;automated mechanisms supporting and/or implementing persistent non-writeable storage across component restart and power on/off System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;information system developers/integrators SC-34(1)[1] "defines information system components to be employed with no writeable storage; and" SC-34(1)[2] "employs organization-defined information system components with no writeable storage that is persistent across component restart or power on/off." SYSTEM AND COMMUNICATIONS PROTECTION SC-34(2) INTEGRITY PROTECTION/READ-ONLY MEDIA "Determine if the organization:" System and communications protection policy;procedures addressing non-modifiable executable programs;information system design documentation;information system configuration settings and associated documentation;information system architecture;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing capability for protecting information integrity on read-only media prior to storage and after information has been recorded onto the media System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;information system developers/integrators SC-34(2)[1] "protects the integrity of the information prior to storage on read-only media; and" SC-34(2)[2] "controls the media after such information has been recorded onto the media." SYSTEM AND COMMUNICATIONS PROTECTION SC-34(3) HARDWARE-BASED PROTECTION "Determine if the organization:" System and communications protection policy;procedures addressing firmware modifications;information system design documentation;information system configuration settings and associated documentation;information system architecture;information system audit records;other relevant documents or records Organizational processes for modifying firmware;automated mechanisms supporting and/or implementing hardware-based, write-protection for firmware System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;information system developers/integrators SC-34(3)(a) SC-34(3)(a)[1] "defines information system firmware components for which hardware-based, write-protection is to be employed;" SC-34(3)(a)[2] "employs hardware-based, write-protection for organization-defined information system firmware components;" SC-34(3)(b) SC-34(3)(b)[1] "defines individuals authorized to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode; and" SC-34(3)(b)[2] "implements specific procedures for organization-defined authorized individuals to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode." SYSTEM AND COMMUNICATIONS PROTECTION SC-35 HONEYCLIENTS "Determine if the information system includes components that proactively seek to identify malicious websites and/or web-based malicious code." System and communications protection policy;procedures addressing honeyclients;information system design documentation;information system configuration settings and associated documentation;information system components deployed to identify malicious websites and/or web-based malicious code;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing honeyclients System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;information system developers/integrators SYSTEM AND COMMUNICATIONS PROTECTION SC-36 DISTRIBUTED PROCESSING AND STORAGE "Determine if the organization:" System and communications protection policy;contingency planning policy and procedures;contingency plan;information system design documentation;information system configuration settings and associated documentation;information system architecture;list of information system physical locations (or environments) with distributed processing and storage;information system facility diagrams;processing site agreements;storage site agreements;other relevant documents or records Organizational processes for distributing processing and storage across multiple physical locations;automated mechanisms supporting and/or implementing capability for distributing processing and storage across multiple physical locations System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with contingency planning and plan implementation responsibilities;information system developers/integrators SC-36[1] "defines processing and storage to be distributed across multiple physical locations; and" SC-36[2] "distributes organization-defined processing and storage across multiple physical locations." SYSTEM AND COMMUNICATIONS PROTECTION SC-36(1) POLLING TECHNIQUES "Determine if the organization:" System and communications protection policy;information system design documentation;information system configuration settings and associated documentation;information system architecture;list of distributed processing and storage components subject to polling;information system polling techniques and associated documentation or records;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing polling techniques System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;information system developers/integrators SC-36(1)[1] "defines distributed processing and storage components for which polling techniques are to be employed to identify potential faults, errors, or compromises; and" SC-36(1)[2] "employs polling techniques to identify potential faults, errors, or compromises to organization-defined distributed processing and storage components." SYSTEM AND COMMUNICATIONS PROTECTION SC-37 OUT-OF-BAND CHANNELS "Determine if the organization:" System and communications protection policy;procedures addressing use of out-of-band channels;access control policy and procedures;identification and authentication policy and procedures;information system design documentation;information system architecture;information system configuration settings and associated documentation;list of out-of-band channels;types of information, information system components, or devices requiring use of out-of-band channels for physical delivery or electronic transmission to authorized individuals or information systems;physical delivery records;electronic transmission records;information system audit records;other relevant documents or records Organizational processes for use of out-of-band channels;automated mechanisms supporting and/or implementing use of out-of-band channels System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel authorizing, installing, configuring, operating, and/or using out-of-band channels;information system developers/integrators SC-37[1] "defines out-of-band channels to be employed for the physical delivery or electronic transmission of information, information system components, or devices to individuals or information systems;" SC-37[2] "defines information, information system components, or devices for which physical delivery or electronic transmission of such information, information system components, or devices to individuals or information systems requires employment of organization-defined out-of-band channels;" SC-37[3] "defines individuals or information systems to which physical delivery or electronic transmission of organization-defined information, information system components, or devices is to be achieved via employment of organization-defined out-of-band channels; and" SC-37[4] "employs organization-defined out-of-band channels for the physical delivery or electronic transmission of organization-defined information, information system components, or devices to organization-defined individuals or information systems." SYSTEM AND COMMUNICATIONS PROTECTION SC-37(1) ENSURE DELIVERY / TRANSMISSION "Determine if the organization:" System and communications protection policy;procedures addressing use of out-of-band channels;access control policy and procedures;identification and authentication policy and procedures;information system design documentation;information system architecture;information system configuration settings and associated documentation;list of security safeguards to be employed to ensure designated individuals or information systems receive organization-defined information, information system components, or devices;list of security safeguards for delivering designated information, information system components, or devices to designated individuals or information systems;list of information, information system components, or devices to be delivered to designated individuals or information systems;information system audit records;other relevant documents or records Organizational processes for use of out-of-band channels;automated mechanisms supporting and/or implementing use of out-of-band channels;automated mechanisms supporting/implementing safeguards to ensure delivery of designated information, system components, or devices System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel authorizing, installing, configuring, operating, and/or using out-of-band channels;information system developers/integrators SC-37(1)[1] "defines security safeguards to be employed to ensure that only designated individuals or information systems receive specific information, information system components, or devices;" SC-37(1)[2] "defines individuals or information systems designated to receive specific information, information system components, or devices;" SC-37(1)[3] "defines information, information system components, or devices that only organization-defined individuals or information systems are designated to receive; and" SC-37(1)[4] "employs organization-defined security safeguards to ensure that only organization-defined individuals or information systems receive the organization-defined information, information system components, or devices." SYSTEM AND COMMUNICATIONS PROTECTION SC-38 OPERATIONS SECURITY "Determine if the organization:" System and communications protection policy;procedures addressing operations security;security plan;list of operations security safeguards;security control assessments;risk assessments;threat and vulnerability assessments;plans of action and milestones;system development life cycle documentation;other relevant documents or records Organizational processes for protecting organizational information throughout the SDLC;automated mechanisms supporting and/or implementing safeguards to protect organizational information throughout the SDLC System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;information system developers/integrators SC-38[1] "defines operations security safeguards to be employed to protect key organizational information throughout the system development life cycle; and" SC-38[2] "employs organization-defined operations security safeguards to protect key organizational information throughout the system development life cycle." SYSTEM AND COMMUNICATIONS PROTECTION SC-39 PROCESS ISOLATION "Determine if the information system maintains a separate execution domain for each executing process." Information system design documentation;information system architecture;independent verification and validation documentation;testing and evaluation documentation, other relevant documents or records Automated mechanisms supporting and/or implementing separate execution domains for each executing process Information system developers/integrators;information system security architect SYSTEM AND COMMUNICATIONS PROTECTION SC-39(1) HARDWARE SEPARATION "Determine if the information system implements underlying hardware separation mechanisms to facilitate process separation." System and communications protection policy;information system design documentation;information system configuration settings and associated documentation;information system architecture;information system documentation for hardware separation mechanisms;information system documentation from vendors, manufacturers or developers;independent verification and validation documentation;other relevant documents or records Information system capability implementing underlying hardware separation mechanisms for process separation System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;information system developers/integrators SYSTEM AND COMMUNICATIONS PROTECTION SC-39(2) THREAD ISOLATION "Determine if the information system:" System and communications protection policy;information system design documentation;information system configuration settings and associated documentation;information system architecture;list of information system execution domains for each thread in multi-threaded processing;information system documentation for multi-threaded processing;information system documentation from vendors, manufacturers or developers;independent verification and validation documentation;other relevant documents or records Information system capability implementing a separate execution domain for each thread in multi-threaded processing System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;information system developers/integrators SC-39(2)[1] "defines multi-threaded processing for which a separate execution domain is to be maintained for each thread in multi-threaded processing; and" SC-39(2)[2] "maintains a separate execution domain for each thread in organization-defined multi-threaded processing." SYSTEM AND COMMUNICATIONS PROTECTION SC-40 WIRELESS LINK PROTECTION "Determine if:" System and communications protection policy;access control policy and procedures;procedures addressing wireless link protection;information system design documentation;wireless network diagrams;information system configuration settings and associated documentation;information system architecture;list or internal and external wireless links;list of signal parameter attacks or references to sources for attacks;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing protection of wireless links System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel authorizing, installing, configuring and/or maintaining internal and external wireless links SC-40[1] "the organization defines:" SC-40[1][a] "internal wireless links to be protected from particular types of signal parameter attacks;" SC-40[1][b] "external wireless links to be protected from particular types of signal parameter attacks;" SC-40[2] "the organization defines types of signal parameter attacks or references to sources for such attacks that are based upon exploiting the signal parameters of organization-defined internal and external wireless links; and" SC-40[3] "the information system protects internal and external organization-defined wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks." SYSTEM AND COMMUNICATIONS PROTECTION SC-40(1) ELECTROMAGNETIC INTERFERENCE "Determine if:" System and communications protection policy;access control policy and procedures;procedures addressing wireless link protection;information system design documentation;wireless network diagrams;information system configuration settings and associated documentation;information system architecture;information system communications hardware and software;security categorization results;information system audit records;other relevant documents or records Cryptographic mechanisms enforcing protections against effects of intentional electromagnetic interference System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel authorizing, installing, configuring and/or maintaining internal and external wireless links SC-40(1)[1] "the organization defines level of protection to be employed against the effects of intentional electromagnetic interference; and" SC-40(1)[2] "the information system employs cryptographic mechanisms that achieve organization-defined level of protection against the effects of intentional electromagnetic interference." SYSTEM AND COMMUNICATIONS PROTECTION SC-40(2) REDUCE DETECTION POTENTIAL "Determine if:" System and communications protection policy;access control policy and procedures;procedures addressing wireless link protection;information system design documentation;wireless network diagrams;information system configuration settings and associated documentation;information system architecture;information system communications hardware and software;security categorization results;information system audit records;other relevant documents or records Cryptographic mechanisms enforcing protections to reduce detection of wireless links System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel authorizing, installing, configuring and/or maintaining internal and external wireless links SC-40(2)[1] "the organization defines level of reduction to be achieved to reduce the detection potential of wireless links; and" SC-40(2)[2] "the information system implements cryptographic mechanisms to reduce the detection potential of wireless links to organization-defined level of reduction." SYSTEM AND COMMUNICATIONS PROTECTION SC-40(3) IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION "Determine if the information system implements cryptographic mechanisms to:" System and communications protection policy;access control policy and procedures;procedures addressing information system design documentation;wireless network diagrams;information system configuration settings and associated documentation;information system architecture;information system communications hardware and software;information system audit records;other relevant documents or records Cryptographic mechanisms enforcing wireless link protections against imitative or manipulative communications deception System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel authorizing, installing, configuring and/or maintaining internal and external wireless links SC-40(3)[1] "identify wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters; and" SC-40(3)[2] "reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters." SYSTEM AND COMMUNICATIONS PROTECTION SC-40(4) SIGNAL PARAMETER IDENTIFICATION "Determine if:" System and communications protection policy;access control policy and procedures;procedures addressing information system design documentation;wireless network diagrams;information system configuration settings and associated documentation;information system architecture;information system communications hardware and software;information system audit records;other relevant documents or records Cryptographic mechanisms preventing the identification of wireless transmitters System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel authorizing, installing, configuring and/or maintaining internal and external wireless links SC-40(4)[1] "the organization defines wireless transmitters for which cryptographic mechanisms are to be implemented to prevent identification of such transmitters by using the transmitter signal parameters; and" SC-40(4)[2] "the information system implements cryptographic mechanisms to prevent the identification of organization-defined wireless transmitters by using the transmitter signal parameters." SYSTEM AND COMMUNICATIONS PROTECTION SC-41 PORT AND I/O DEVICE ACCESS "Determine if the organization:" System and communications protection policy;access control policy and procedures;procedures addressing port and input/output device access;information system design documentation;information system configuration settings and associated documentation;information system architecture;information systems or information system components list of connection ports or input/output devices to be physically disabled or removed on information systems or information system components;other relevant documents or records Automated mechanisms supporting and/or implementing disabling of connection ports or input/output devices System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system SC-41[1] "defines connection ports or input/output devices to be physically disabled or removed on information systems or information system components;" SC-41[2] "defines information systems or information system components with organization-defined connection ports or input/output devices that are to be physically disabled or removed; and" SC-41[3] "physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components." SYSTEM AND COMMUNICATIONS PROTECTION SC-42 SENSOR CAPABILITY AND DATA "Determine if:" System and communications protection policy;procedures addressing sensor capability and data collection;access control policy and procedures;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms implementing access controls for remote activation of information system sensor capabilities;automated mechanisms implementing capability to indicate sensor use System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for sensor capability SC-42(a) SC-42(a)[1] "the organization defines exceptions where remote activation of sensors is to be allowed;" SC-42(a)[2] "the information system prohibits the remote activation of sensors, except for organization-defined exceptions where remote activation of sensors is to be allowed;" SC-42(b) SC-42(b)[1] "the organization defines the class of users to whom an explicit indication of sensor use is to be provided; and" SC-42(b)[2] "the information system provides an explicit indication of sensor use to the organization-defined class of users." SYSTEM AND COMMUNICATIONS PROTECTION SC-42(1) REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES "Determine if the organization:" System and communications protection policy;access control policy and procedures;procedures addressing sensor capability and data collection;information system design documentation;information system configuration settings and associated documentation;information system architecture;information system audit records;other relevant documents or records Automated mechanisms restricting reporting of sensor information only to those authorized;sensor data collection and reporting capability for the information system System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for sensor capability SC-42(1)[1] "defines sensors to be used to collect data or information only reported to authorized individuals or roles; and" SC-42(1)[2] "ensures that the information system is configured so that data or information collected by the organization-defined sensors is only reported to authorized individuals or roles." SYSTEM AND COMMUNICATIONS PROTECTION SC-42(2) AUTHORIZED USE "Determine if the organization:" System and communications protection policy;access control policy and procedures;sensor capability and data collection;information system design documentation;information system configuration settings and associated documentation;information system architecture;list of measures to be employed to ensure data or information collected by sensors is only used for authorized purposes;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing measures to ensure sensor information is only used for authorized purposes;sensor information collection capability for the information system System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for sensor capability SC-42(2)[1] "defines measures to be employed so that data or information collected by sensors is only used for authorized purposes;" SC-42(2)[2] "defines sensors to be used to collect data or information for authorized purposes only; and" SC-42(2)[3] "employs organization-defined measures so that data or information collected by organization-defined sensors is only used for authorized purposes." SYSTEM AND COMMUNICATIONS PROTECTION SC-42(3) PROHIBIT USE OF DEVICES "Determine if the organization:" System and communications protection policy;access control policy and procedures;procedures addressing sensor capability and data collection;information system design documentation;wireless network diagrams;information system configuration settings and associated documentation;information system architecture;facilities, areas, or systems where use of devices possessing environmental sensing capabilities is prohibited;list of devices possessing environmental sensing capabilities;other relevant documents or records System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for sensor capability SC-42(3)[1] "defines environmental sensing capabilities to be prohibited from use in facilities, areas, or systems;" SC-42(3)[2] "defines facilities, areas, or systems where the use of devices possessing organization-defined environmental sensing capabilities is to be prohibited; and" SC-42(3)[3] "prohibits the use of devices possessing organization-defined environmental sensing capabilities in organization-defined facilities, areas, or systems." SYSTEM AND COMMUNICATIONS PROTECTION SC-43 USAGE RESTRICTIONS "Determine if the organization:" System and communications protection policy;procedures addressing usage restrictions;usage restrictions;implementation policy and procedures;authorization records;information system monitoring records;information system audit records;other relevant documents or records Organizational processes for authorizing, monitoring, and controlling use of components with usage restrictions;Automated mechanisms supporting and/or implementing authorizing, monitoring, and controlling use of components with usage restrictions System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system SC-43(a) SC-43(a)[1] "defines information system components for which usage restrictions and implementation guidance are to be established;" SC-43(a)[2] "establishes, for organization-defined information system components:" SC-43(a)[2][a] "usage restrictions based on the potential to cause damage to the information system if used maliciously;" SC-43(a)[2][b] "implementation guidance based on the potential to cause damage to the information system if used maliciously;" SC-43(b) SC-43(b)[1] "authorizes the use of such components within the information system;" SC-43(b)[2] "monitors the use of such components within the information system; and" SC-43(b)[3] "controls the use of such components within the information system." SYSTEM AND COMMUNICATIONS PROTECTION SC-44 DETONATION CHAMBERS "Determine if the organization:" System and communications protection policy;procedures addressing detonation chambers;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing detonation chamber capability System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system SC-44[1] "defines information system, system component, or location where a detonation chamber capability is to be employed; and" SC-44[2] "employs a detonation chamber capability within organization-defined information system, system component, or location." SYSTEM AND INFORMATION INTEGRITY SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES "Determine if the organization:" System and information integrity policy and procedures;other relevant documents or records Organizational personnel with system and information integrity responsibilities;organizational personnel with information security responsibilities SI-1(a)(1) SI-1(a)(1)[1] "develops and documents a system and information integrity policy that addresses:" SI-1(a)(1)[1][a] "purpose;" SI-1(a)(1)[1][b] "scope;" SI-1(a)(1)[1][c] "roles;" SI-1(a)(1)[1][d] "responsibilities;" SI-1(a)(1)[1][e] "management commitment;" SI-1(a)(1)[1][f] "coordination among organizational entities;" SI-1(a)(1)[1][g] "compliance;" SI-1(a)(1)[2] "defines personnel or roles to whom the system and information integrity policy is to be disseminated;" SI-1(a)(1)[3] "disseminates the system and information integrity policy to organization-defined personnel or roles;" SI-1(a)(2) SI-1(a)(2)[1] "develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;" SI-1(a)(2)[2] "defines personnel or roles to whom the procedures are to be disseminated;" SI-1(a)(2)[3] "disseminates the procedures to organization-defined personnel or roles;" SI-1(b)(1) SI-1(b)(1)[1] "defines the frequency to review and update the current system and information integrity policy;" SI-1(b)(1)[2] "reviews and updates the current system and information integrity policy with the organization-defined frequency;" SI-1(b)(2) SI-1(b)(2)[1] "defines the frequency to review and update the current system and information integrity procedures; and" SI-1(b)(2)[2] "reviews and updates the current system and information integrity procedures with the organization-defined frequency." SYSTEM AND INFORMATION INTEGRITY SI-2 FLAW REMEDIATION "Determine if the organization:" System and information integrity policy;procedures addressing flaw remediation;procedures addressing configuration management;list of flaws and vulnerabilities potentially affecting the information system;list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws);test results from the installation of software and firmware updates to correct information system flaws;installation/change control records for security-relevant software and firmware updates;other relevant documents or records Organizational processes for identifying, reporting, and correcting information system flaws;organizational process for installing software and firmware updates;automated mechanisms supporting and/or implementing reporting, and correcting information system flaws;automated mechanisms supporting and/or implementing testing software and firmware updates System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for flaw remediation;organizational personnel with configuration management responsibility SI-2(a) SI-2(a)[1] "identifies information system flaws;" SI-2(a)[2] "reports information system flaws;" SI-2(a)[3] "corrects information system flaws;" SI-2(b) SI-2(b)[1] "tests software updates related to flaw remediation for effectiveness and potential side effects before installation;" SI-2(b)[2] "tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;" SI-2(c) SI-2(c)[1] "defines the time period within which to install security-relevant software updates after the release of the updates;" SI-2(c)[2] "defines the time period within which to install security-relevant firmware updates after the release of the updates;" SI-2(c)[3] "installs software updates within the organization-defined time period of the release of the updates;" SI-2(c)[4] "installs firmware updates within the organization-defined time period of the release of the updates; and" SI-2(d) "incorporates flaw remediation into the organizational configuration management process." SYSTEM AND INFORMATION INTEGRITY SI-2(1) CENTRAL MANAGEMENT "Determine if the organization centrally manages the flaw remediation process." System and information integrity policy;procedures addressing flaw remediation;automated mechanisms supporting centralized management of flaw remediation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for central management of the flaw remediation process;automated mechanisms supporting and/or implementing central management of the flaw remediation process System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for flaw remediation SYSTEM AND INFORMATION INTEGRITY SI-2(2) AUTOMATED FLAW REMEDIATION STATUS "Determine if the organization:" System and information integrity policy;procedures addressing flaw remediation;automated mechanisms supporting centralized management of flaw remediation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms used to determine the state of information system components with regard to flaw remediation System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for flaw remediation SI-2(2)[1] "defines a frequency to employ automated mechanisms to determine the state of information system components with regard to flaw remediation; and" SI-2(2)[2] "employs automated mechanisms with the organization-defined frequency to determine the state of information system components with regard to flaw remediation." SYSTEM AND INFORMATION INTEGRITY SI-2(3) TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTION ACTIONS "Determine if the organization:" System and information integrity policy;procedures addressing flaw remediation;information system design documentation;information system configuration settings and associated documentation;list of benchmarks for taking corrective action on flaws identified;records providing time stamps of flaw identification and subsequent flaw remediation activities;other relevant documents or records Organizational processes for identifying, reporting, and correcting information system flaws;automated mechanisms used to measure the time between flaw identification and flaw remediation System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for flaw remediation SI-2(3)(a) "measures the time between flaw identification and flaw remediation;" SI-2(3)(b) SI-2(3)(b)[1] "defines benchmarks for taking corrective actions; and" SI-2(3)(b)[2] "establishes organization-defined benchmarks for taking corrective actions." SYSTEM AND INFORMATION INTEGRITY SI-2(4) AUTOMATED PATCH MANAGEMENT TOOLS "[Withdrawn: Incorporated into SI-2]." SYSTEM AND INFORMATION INTEGRITY SI-2(5) AUTOMATIC SOFTWARE / FIRMWARE UPDATES "Determine if the organization:" System and information integrity policy;procedures addressing flaw remediation;automated mechanisms supporting flaw remediation and automatic software/firmware updates;information system design documentation;information system configuration settings and associated documentation;records of recent security-relevant software and firmware updates automatically installed to information system components;information system audit records;other relevant documents or records Automated mechanisms implementing automatic software/firmware updates System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for flaw remediation SI-2(5)[1] SI-2(5)[1][a] "defines information system components requiring security-relevant software updates to be automatically installed;" SI-2(5)[1][b] "defines information system components requiring security-relevant firmware updates to be automatically installed;" SI-2(5)[2] SI-2(5)[2][a] "defines security-relevant software updates to be automatically installed to organization-defined information system components;" SI-2(5)[2][b] "defines security-relevant firmware updates to be automatically installed to organization-defined information system components;" SI-2(5)[3] SI-2(5)[3][a] "installs organization-defined security-relevant software updates automatically to organization-defined information system components; and" SI-2(5)[3][b] "installs organization-defined security-relevant firmware updates automatically to organization-defined information system components." SYSTEM AND INFORMATION INTEGRITY SI-2(6) REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE / FIRMWARE "Determine if the organization:" System and information integrity policy;procedures addressing flaw remediation;automated mechanisms supporting flaw remediation;information system design documentation;information system configuration settings and associated documentation;records of software and firmware component removals after updated versions are installed;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing removal of previous versions of software/firmware System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for flaw remediation SI-2(6)[1] SI-2(6)[1][a] "defines software components to be removed after updated versions have been installed;" SI-2(6)[1][b] "defines firmware components to be removed after updated versions have been installed;" SI-2(6)[2] SI-2(6)[2][a] "removes organization-defined software components after updated versions have been installed; and" SI-2(6)[2][b] "removes organization-defined firmware components after updated versions have been installed." SYSTEM AND INFORMATION INTEGRITY SI-3 MALICIOUS CODE PROTECTION "Determine if the organization:" System and information integrity policy;configuration management policy and procedures;procedures addressing malicious code protection;malicious code protection mechanisms;records of malicious code protection updates;information system design documentation;information system configuration settings and associated documentation;scan results from malicious code protection mechanisms;record of actions initiated by malicious code protection mechanisms in response to malicious code detection;information system audit records;other relevant documents or records Organizational processes for employing, updating, and configuring malicious code protection mechanisms;organizational process for addressing false positives and resulting potential impact;automated mechanisms supporting and/or implementing employing, updating, and configuring malicious code protection mechanisms;automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for malicious code protection;organizational personnel with configuration management responsibility SI-3(a) "employs malicious code protection mechanisms to detect and eradicate malicious code at information system:" SI-3(a)[1] "entry points;" SI-3(a)[2] "exit points;" SI-3(b) "updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);" SI-3(c) SI-3(c)[1] "defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;" SI-3(c)[2] "defines action to be initiated by malicious protection mechanisms in response to malicious code detection;" SI-3(c)[3] SI-3(c)[3](1) "configures malicious code protection mechanisms to:" SI-3(c)[3](1)[a] "perform periodic scans of the information system with the organization-defined frequency;" SI-3(c)[3](1)[b] "perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;" SI-3(c)[3](2) "configures malicious code protection mechanisms to do one or more of the following:" SI-3(c)[3](2)[a] "block malicious code in response to malicious code detection;" SI-3(c)[3](2)[b] "quarantine malicious code in response to malicious code detection;" SI-3(c)[3](2)[c] "send alert to administrator in response to malicious code detection; and/or" SI-3(c)[3](2)[d] "initiate organization-defined action in response to malicious code detection;" SI-3(d) SI-3(d)[1] "addresses the receipt of false positives during malicious code detection and eradication; and" SI-3(d)[2] "addresses the resulting potential impact on the availability of the information system." SYSTEM AND INFORMATION INTEGRITY SI-3(1) CENTRAL MANAGEMENT "Determine if the organization centrally manages malicious code protection mechanisms." System and information integrity policy;procedures addressing malicious code protection;automated mechanisms supporting centralized management of malicious code protection mechanisms;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for central management of malicious code protection mechanisms;automated mechanisms supporting and/or implementing central management of malicious code protection mechanisms System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for malicious code protection SYSTEM AND INFORMATION INTEGRITY SI-3(2) AUTOMATIC UPDATES "Determine if the information system automatically updates malicious code protection mechanisms." System and information integrity policy;procedures addressing malicious code protection;automated mechanisms supporting centralized management of malicious code protection mechanisms;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing automatic updates to malicious code protection capability System/network administrators;organizational personnel with information security responsibilities;system developers;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for malicious code protection SYSTEM AND INFORMATION INTEGRITY SI-3(3) NON-PRIVILEGED USERS "[Withdrawn: Incorporated into AC-6(10)]." SYSTEM AND INFORMATION INTEGRITY SI-3(4) UPDATES ONLY BY PRIVILEGED USERS "Determine if the information system updates malicious code protection mechanisms only when directed by a privileged user." System and information integrity policy;procedures addressing malicious code protection;information system design documentation;malicious code protection mechanisms;records of malicious code protection updates;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing malicious code protection capability System/network administrators;organizational personnel with information security responsibilities;system developers;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for malicious code protection SYSTEM AND INFORMATION INTEGRITY SI-3(5) PORTABLE STORAGE DEVICES "[Withdrawn: Incorporated into MP-7]." SYSTEM AND INFORMATION INTEGRITY SI-3(6) TESTING / VERIFICATION "Determine if the organization:" System and information integrity policy;procedures addressing malicious code protection;information system design documentation;information system configuration settings and associated documentation;test cases;records providing evidence of test cases executed on malicious code protection mechanisms;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing testing and verification of malicious code protection capability System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for malicious code protection SI-3(6)(a) SI-3(6)(a)[1] "defines a frequency to test malicious code protection mechanisms;" SI-3(6)(a)[2] "tests malicious code protection mechanisms with the organization-defined frequency by introducing a known benign, non-spreading test case into the information system;" SI-3(6)(b) SI-3(6)(b)[1] "verifies that detection of the test case occurs; and" SI-3(6)(b)[2] "verifies that associated incident reporting occurs." SYSTEM AND INFORMATION INTEGRITY SI-3(7) NONSIGNATURE-BASED DETECTION "Determine if the information system implements non signature-based malicious code detection mechanisms." System and information integrity policy;procedures addressing malicious code protection;information system design documentation;malicious code protection mechanisms;records of malicious code protection updates;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing nonsignature-based malicious code protection capability System/network administrators;organizational personnel with information security responsibilities;system developers;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for malicious code protection SYSTEM AND INFORMATION INTEGRITY SI-3(8) DETECT UNAUTHORIZED COMMANDS "Determine if:" System and information integrity policy;procedures addressing malicious code protection;information system design documentation;malicious code protection mechanisms;warning messages sent upon detection of unauthorized operating system command execution;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing malicious code protection capability;automated mechanisms supporting and/or implementing detection of unauthorized operating system commands through the kernel application programming interface System/network administrators;organizational personnel with information security responsibilities;system developers;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for malicious code protection SI-3(8)[1] "the organization defines unauthorized operating system commands to be detected by the information system;" SI-3(8)[2] "the organization defines information system hardware components for which organization-defined unauthorized operating system commands are to be detected through the kernel application programming interface;" SI-3(8)[3] "the information system detects organization-defined unauthorized operating system commands through the kernel application programming interface at organization-defined information system hardware components, and does one or more of the following:" SI-3(8)[3][a] "issues a warning;" SI-3(8)[3][b] "audits the command execution; and/or" SI-3(8)[3][c] "prevents the execution of the command." SYSTEM AND INFORMATION INTEGRITY SI-3(9) AUTHENTICATE REMOTE COMMANDS "Determine if:" System and information integrity policy;procedures addressing malicious code protection;information system design documentation;malicious code protection mechanisms;warning messages sent upon detection of unauthorized operating system command execution;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing malicious code protection capability;automated mechanisms implementing authentication of remote commands;automated mechanisms supporting and/or implementing security safeguards to authenticate remote commands System/network administrators;organizational personnel with information security responsibilities;system developers;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for malicious code protection SI-3(9)[1] "the organization defines security safeguards to be implemented by the information system to authenticate organization-defined remote commands;" SI-3(9)[2] "the organization defines remote commands to be authenticated by organization-defined security safeguards; and" SI-3(9)[3] "the information system implements organization-defined security safeguards to authenticate organization-defined remote commands." SYSTEM AND INFORMATION INTEGRITY SI-3(10) MALICIOUS CODE ANALYSIS "Determine if the organization:" System and information integrity policy;procedures addressing malicious code protection;procedures addressing incident response;procedures addressing flaw remediation;information system design documentation;malicious code protection mechanisms, tools, and techniques;information system configuration settings and associated documentation;results from malicious code analyses;records of flaw remediation events resulting from malicious code analyses;information system audit records;other relevant documents or records Organizational process for incident response;organizational process for flaw remediation;automated mechanisms supporting and/or implementing malicious code protection capability;tools and techniques for analysis of malicious code characteristics and behavior System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for malicious code protection;organizational personnel responsible for flaw remediation;organizational personnel responsible for incident response/management SI-3(10)(a) SI-3(10)(a)[1] "defines tools and techniques to be employed to analyze the characteristics and behavior of malicious code;" SI-3(10)(a)[2] "employs organization-defined tools and techniques to analyze the characteristics and behavior of malicious code; and" SI-3(10)(b) "incorporates the results from malicious code analysis into incident response and flaw remediate processes." SYSTEM AND INFORMATION INTEGRITY SI-4 INFORMATION SYSTEM MONITORING "Determine if the organization:" Continuous monitoring strategy;system and information integrity policy;procedures addressing information system monitoring tools and techniques;facility diagram/layout;information system design documentation;information system monitoring tools and techniques documentation;locations within information system where monitoring devices are deployed;information system configuration settings and associated documentation;other relevant documents or records Organizational processes for information system monitoring;automated mechanisms supporting and/or implementing information system monitoring capability System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility monitoring the information system SI-4(a) SI-4(a)(1) SI-4(a)(1)[1] "defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;" SI-4(a)(1)[2] "monitors the information system to detect, in accordance with organization-defined monitoring objectives,:" SI-4(a)(1)[2][a] "attacks;" SI-4(a)(1)[2][b] "indicators of potential attacks;" SI-4(a)(2) "monitors the information system to detect unauthorized:" SI-4(a)(2)[1] "local connections;" SI-4(a)(2)[2] "network connections;" SI-4(a)(2)[3] "remote connections;" SI-4(b) SI-4(b)(1) "defines techniques and methods to identify unauthorized use of the information system;" SI-4(b)(2) "identifies unauthorized use of the information system through organization-defined techniques and methods;" SI-4(c) "deploys monitoring devices:" SI-4(c)[1] "strategically within the information system to collect organization-determined essential information;" SI-4(c)[2] "at ad hoc locations within the system to track specific types of transactions of interest to the organization;" SI-4(d) "protects information obtained from intrusion-monitoring tools from unauthorized:" SI-4(d)[1] "access;" SI-4(d)[2] "modification;" SI-4(d)[3] "deletion;" SI-4(e) "heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;" SI-4(f) "obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;" SI-4(g) SI-4(g)[1] "defines personnel or roles to whom information system monitoring information is to be provided;" SI-4(g)[2] "defines information system monitoring information to be provided to organization-defined personnel or roles;" SI-4(g)[3] "defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;" SI-4(g)[4] "provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:" SI-4(g)[4][a] "as needed; and/or" SI-4(g)[4][b] "with the organization-defined frequency." SYSTEM AND INFORMATION INTEGRITY SI-4(1) SYSTEM-WIDE INTRUSION DETECTION SYSTEM "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection capability System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(1)[1] "connects individual intrusion detection tools into an information system-wide intrusion detection system; and" SI-4(1)[2] "configures individual intrusion detection tools into an information system-wide intrusion detection system." SYSTEM AND INFORMATION INTEGRITY SI-4(2) AUTOMATED TOOLS FOR REAL-TIME ANALYSIS "Determine if the organization employs automated tools to support near real-time analysis of events." System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for near real-time analysis of events;organizational processes for information system monitoring;automated mechanisms supporting and/or implementing information system monitoring;automated mechanisms/tools supporting and/or implementing analysis of events System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for incident response/management SYSTEM AND INFORMATION INTEGRITY SI-4(3) AUTOMATED TOOL INTEGRATION "Determine if the organization, for rapid response to attacks by enabling reconfiguration of intrusion detection tools in support of attack isolation and elimination, employs automated tools to integrate intrusion detection tools into:" System and information integrity policy;access control policy and procedures;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability;automated mechanisms/tools supporting and/or implementing access/flow control capability;automated mechanisms/tools supporting and/or implementing integration of intrusion detection tools into access/flow control mechanisms System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(3)[1] "access control mechanisms; and" SI-4(3)[2] "flow control mechanisms." SYSTEM AND INFORMATION INTEGRITY SI-4(4) INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system protocols;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection capability/information system monitoring;automated mechanisms supporting and/or implementing monitoring of inbound/outbound communications traffic System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(4)[1] "defines a frequency to monitor:" SI-4(4)[1][a] "inbound communications traffic for unusual or unauthorized activities or conditions;" SI-4(4)[1][b] "outbound communications traffic for unusual or unauthorized activities or conditions;" SI-4(4)[2] "monitors, with the organization-defined frequency:" SI-4(4)[2][a] "inbound communications traffic for unusual or unauthorized activities or conditions; and" SI-4(4)[2][b] "outbound communications traffic for unusual or unauthorized activities or conditions." SYSTEM AND INFORMATION INTEGRITY SI-4(5) SYSTEM-GENERATED ALERTS "Determine if:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;alerts/notifications generated based on compromise indicators;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability;automated mechanisms supporting and/or implementing alerts for compromise indicators System/network administrators;organizational personnel with information security responsibilities;system developers;;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(5)[1] "the organization defines compromise indicators for the information system;" SI-4(5)[2] "the organization defines personnel or roles to be alerted when indications of compromise or potential compromise occur; and" SI-4(5)[3] "the information system alerts organization-defined personnel or roles when organization-defined compromise indicators occur." SYSTEM AND INFORMATION INTEGRITY SI-4(6) RESTRICT NON-PRIVILEGED USERS "[Withdrawn: Incorporated into AC-6(10)]." SYSTEM AND INFORMATION INTEGRITY SI-4(7) AUTOMATED RESPONSE TO SUSPICIOUS EVENTS "Determine if:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;alerts/notifications generated based on detected suspicious events;records of actions taken to terminate suspicious events;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability;automated mechanisms supporting and/or implementing notifications to incident response personnel;automated mechanisms supporting and/or implementing actions to terminate suspicious events System/network administrators;organizational personnel with information security responsibilities;system developers;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(7)[1] "the organization defines incident response personnel (identified by name and/or by role) to be notified of detected suspicious events;" SI-4(7)[2] "the organization defines least-disruptive actions to be taken by the information system to terminate suspicious events;" SI-4(7)[3] "the information system notifies organization-defined incident response personnel of detected suspicious events; and" SI-4(7)[4] "the information system takes organization-defined least-disruptive actions to terminate suspicious events." SYSTEM AND INFORMATION INTEGRITY SI-4(8) PROTECTION OF MONITORING INFORMATION "[Withdrawn: Incorporated into SI-4]." SYSTEM AND INFORMATION INTEGRITY SI-4(9) TESTING OF MONITORING TOOLS "Determine if the organization:" System and information integrity policy;procedures addressing testing of information system monitoring tools and techniques;documentation providing evidence of testing intrusion-monitoring tools;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability;automated mechanisms supporting and/or implementing testing of intrusion-monitoring tools System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(9)[1] "defines a frequency to test intrusion-monitoring tools; and" SI-4(9)[2] "tests intrusion-monitoring tools with the organization-defined frequency." SYSTEM AND INFORMATION INTEGRITY SI-4(10) VISIBILITY OF ENCRYPTED COMMUNICATIONS "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system protocols;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability;automated mechanisms supporting and/or implementing visibility of encrypted communications traffic to monitoring tools System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(10)[1] "defines encrypted communications traffic required to be visible to information system monitoring tools;" SI-4(10)[2] "defines information system monitoring tools to be provided access to organization-defined encrypted communications traffic; and" SI-4(10)[3] "makes provisions so that organization-defined encrypted communications traffic is visible to organization-defined information system monitoring tools." SYSTEM AND INFORMATION INTEGRITY SI-4(11) ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;network diagram;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system monitoring logs or records;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability;automated mechanisms supporting and/or implementing analysis of communications traffic System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(11)[1] "defines interior points within the system (e.g., subnetworks, subsystems) where communications traffic is to be analyzed;" SI-4(11)[2] "analyzes outbound communications traffic to discover anomalies at:" SI-4(11)[2][a] "the external boundary of the information system; and" SI-4(11)[2][b] "selected organization-defined interior points within the system." SYSTEM AND INFORMATION INTEGRITY SI-4(12) AUTOMATED ALERTS "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;list of inappropriate or unusual activities (with security implications) that trigger alerts;alerts/notifications provided to security personnel;information system monitoring logs or records;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability;automated mechanisms supporting and/or implementing automated alerts to security personnel System/network administrators;organizational personnel with information security responsibilities;system developers;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(12)[1] "defines activities that trigger alerts to security personnel based on inappropriate or unusual activities with security implications; and" SI-4(12)[2] "employs automated mechanisms to alert security personnel of organization-defined activities that trigger alerts based on inappropriate or unusual activities with security implications." SYSTEM AND INFORMATION INTEGRITY SI-4(13) ANALYZE TRAFFIC/EVENT PATTERNS "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;list of profiles representing common traffic patterns and/or events;information system protocols documentation;list of acceptable thresholds for false positives and false negatives;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability;automated mechanisms supporting and/or implementing analysis of communications traffic/event patterns System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(13)(a) "analyzes communications traffic/event patterns for the information system;" SI-4(13)(b) "develops profiles representing common traffic patterns and/or events;" SI-4(13)(c) "uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and false negatives." SYSTEM AND INFORMATION INTEGRITY SI-4(14) WIRELESS INTRUSION DETECTION "Determine if the organization employs a wireless intrusion detection system to:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system protocols;information system audit records;other relevant documents or records Organizational processes for intrusion detection;automated mechanisms supporting and/or implementing wireless intrusion detection capability System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(14)[1] "identify rogue wireless devices;" SI-4(14)[2] "detect attack attempts to the information system; and" SI-4(14)[3] "detect potential compromises/breaches to the information system." SYSTEM AND INFORMATION INTEGRITY SI-4(15) WIRELESS TO WIRELINE COMMUNICATIONS "Determine if the organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks." System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system protocols documentation;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability;automated mechanisms supporting and/or implementing wireless intrusion detection capability System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SYSTEM AND INFORMATION INTEGRITY SI-4(16) CORRELATE MONITORING INFORMATION "Determine if the organization correlates information from monitoring tools employed throughout the information system." System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;event correlation logs or records;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability;automated mechanisms supporting and/or implementing correlation of information from monitoring tools System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SYSTEM AND INFORMATION INTEGRITY SI-4(17) INTEGRATED SITUATIONAL AWARENESS "Determine if the organization, to achieve integrated, organization-wide situational awareness, correlates information from monitoring:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;event correlation logs or records resulting from physical, cyber, and supply chain activities;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/system monitoring capability;automated mechanisms supporting and/or implementing correlation of information from monitoring tools System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(17)[1] "physical activities;" SI-4(17)[2] "cyber activities; and" SI-4(17)[3] "supply chain activities." SYSTEM AND INFORMATION INTEGRITY SI-4(18) ANALYZE TRAFFIC / COVERT EXFILTRATION "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;network diagram;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system monitoring logs or records;information system audit records;other relevant documents or records Organizational processes for intrusion detection/information system monitoring;automated mechanisms supporting and/or implementing intrusion detection/system monitoring capability;automated mechanisms supporting and/or implementing analysis of outbound communications traffic System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system;organizational personnel with responsibility for the intrusion detection system SI-4(18)[1] "defines interior points within the system (e.g., subsystems, subnetworks) where communications traffic is to be analyzed;" SI-4(18)[2] "to detect covert exfiltration of information, analyzes outbound communications traffic at:" SI-4(18)[2][a] "the external boundary of the information system (i.e., system perimeter); and" SI-4(18)[2][b] "organization-defined interior points within the system." SYSTEM AND INFORMATION INTEGRITY SI-4(19) INDIVIDUALS POSING GREATER RISK "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring;information system design documentation;list of individuals who have been identified as posing an increased level of risk;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for information system monitoring;automated mechanisms supporting and/or implementing system monitoring capability System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system SI-4(19)[1] "defines sources that identify individuals who pose an increased level of risk;" SI-4(19)[2] "defines additional monitoring to be implemented on individuals who have been identified by organization-defined sources as posing an increased level of risk; and" SI-4(19)[3] "implements organization-defined additional monitoring of individuals who have been identified by organization-defined sources as posing an increased level of risk." SYSTEM AND INFORMATION INTEGRITY SI-4(20) PRIVILEGED USERS "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;list of privileged users;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system monitoring logs or records;information system audit records;other relevant documents or records Organizational processes for information system monitoring;automated mechanisms supporting and/or implementing system monitoring capability System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system SI-4(20)[1] "defines additional monitoring to be implemented on privileged users; and" SI-4(20)[2] "implements organization-defined additional monitoring of privileged users;" SYSTEM AND INFORMATION INTEGRITY SI-4(21) PROBATIONARY PERIODS "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system monitoring logs or records;information system audit records;other relevant documents or records Organizational processes for information system monitoring;automated mechanisms supporting and/or implementing system monitoring capability System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system SI-4(21)[1] "defines additional monitoring to be implemented on individuals during probationary periods;" SI-4(21)[2] "defines probationary period during which organization-defined additional monitoring of individuals is to be performed; and" SI-4(21)[3] "implements organization-defined additional monitoring of individuals during organization-defined probationary period." SYSTEM AND INFORMATION INTEGRITY SI-4(22) UNAUTHORIZED NETWORK SERVICES "Determine if:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;documented authorization/approval of network services;notifications or alerts of unauthorized network services;information system monitoring logs or records;information system audit records;other relevant documents or records Organizational processes for information system monitoring;automated mechanisms supporting and/or implementing system monitoring capability;automated mechanisms for auditing network services;automated mechanisms for providing alerts System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring the information system SI-4(22)[1] "the organization defines authorization or approval processes for network services;" SI-4(22)[2] "the organization defines personnel or roles to be alerted upon detection of network services that have not been authorized or approved by organization-defined authorization or approval processes;" SI-4(22)[3] "the information system detects network services that have not been authorized or approved by organization-defined authorization or approval processes and does one or more of the following:" SI-4(22)[3][a] "audits; and/or" SI-4(22)[3][b] "alerts organization-defined personnel or roles." SYSTEM AND INFORMATION INTEGRITY SI-4(23) HOST-BASED DEVICES "Determine if the organization:" System and information integrity policy;procedures addressing information system monitoring tools and techniques;information system design documentation;host-based monitoring mechanisms;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;list of information system components requiring host-based monitoring;information system monitoring logs or records;information system audit records;other relevant documents or records Organizational processes for information system monitoring;automated mechanisms supporting and/or implementing host-based monitoring capability System/network administrators;organizational personnel with information security responsibilities;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring information system hosts SI-4(23)[1] "defines host-based monitoring mechanisms to be implemented;" SI-4(23)[2] "defines information system components where organization-defined host-based monitoring is to be implemented; and" SI-4(23)[3] "implements organization-defined host-based monitoring mechanisms at organization-defined information system components." SYSTEM AND INFORMATION INTEGRITY SI-4(24) INDICATORS OF COMPROMISE "Determine if the information system:" System and information integrity policy;procedures addressing information system monitoring;information system design documentation;information system monitoring tools and techniques documentation;information system configuration settings and associated documentation;information system monitoring logs or records;information system audit records;other relevant documents or records Organizational processes for information system monitoring;organizational processes for discovery, collection, distribution, and use of indicators of compromise;automated mechanisms supporting and/or implementing system monitoring capability;automated mechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise System/network administrators;organizational personnel with information security responsibilities;system developer;organizational personnel installing, configuring, and/or maintaining the information system;organizational personnel with responsibility for monitoring information system hosts SI-4(24)[1] "discovers indicators of compromise;" SI-4(24)[2] "collects indicators of compromise;" SI-4(24)[3] "distributes indicators of compromise; and" SI-4(24)[4] "uses indicators of compromise." SYSTEM AND INFORMATION INTEGRITY SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES "Determine if the organization:" System and information integrity policy;procedures addressing security alerts, advisories, and directives;records of security alerts and advisories;other relevant documents or records Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives;automated mechanisms supporting and/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives;automated mechanisms supporting and/or implementing security directives Organizational personnel with security alert and advisory responsibilities;organizational personnel implementing, operating, maintaining, and using the information system;organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated;system/network administrators;organizational personnel with information security responsibilities SI-5(a) SI-5(a)[1] "defines external organizations from whom information system security alerts, advisories and directives are to be received;" SI-5(a)[2] "receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;" SI-5(b) "generates internal security alerts, advisories, and directives as deemed necessary;" SI-5(c) SI-5(c)[1] "defines personnel or roles to whom security alerts, advisories, and directives are to be provided;" SI-5(c)[2] "defines elements within the organization to whom security alerts, advisories, and directives are to be provided;" SI-5(c)[3] "defines external organizations to whom security alerts, advisories, and directives are to be provided;" SI-5(c)[4] "disseminates security alerts, advisories, and directives to one or more of the following:" SI-5(c)[4][a] "organization-defined personnel or roles;" SI-5(c)[4][b] "organization-defined elements within the organization; and/or" SI-5(c)[4][c] "organization-defined external organizations; and" SI-5(d) SI-5(d)[1] "implements security directives in accordance with established time frames; or" SI-5(d)[2] "notifies the issuing organization of the degree of noncompliance." SYSTEM AND INFORMATION INTEGRITY SI-5(1) AUTOMATED ALERTS AND ADVISORIES "Determine if the organization employs automated mechanisms to make security alert and advisory information available throughout the organization." System and information integrity policy;procedures addressing security alerts, advisories, and directives;information system design documentation;information system configuration settings and associated documentation;automated mechanisms supporting the distribution of security alert and advisory information;records of security alerts and advisories;information system audit records;other relevant documents or records Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories;automated mechanisms supporting and/or implementing dissemination of security alerts and advisories Organizational personnel with security alert and advisory responsibilities;organizational personnel implementing, operating, maintaining, and using the information system;organizational personnel, organizational elements, and/or external organizations to whom alerts and advisories are to be disseminated;system/network administrators;organizational personnel with information security responsibilities SYSTEM AND INFORMATION INTEGRITY SI-6 SECURITY FUNCTION VERIFICATION "Determine if:" System and information integrity policy;procedures addressing security function verification;information system design documentation;information system configuration settings and associated documentation;alerts/notifications of failed security verification tests;list of system transition states requiring security functionality verification;information system audit records;other relevant documents or records Organizational processes for security function verification;automated mechanisms supporting and/or implementing security function verification capability Organizational personnel with security function verification responsibilities;organizational personnel implementing, operating, and maintaining the information system;system/network administrators;organizational personnel with information security responsibilities;system developer SI-6(a) SI-6(a)[1] "the organization defines security functions to be verified for correct operation;" SI-6(a)[2] "the information system verifies the correct operation of organization-defined security functions;" SI-6(b) SI-6(b)[1] "the organization defines system transitional states requiring verification of organization-defined security functions;" SI-6(b)[2] "the organization defines a frequency to verify the correct operation of organization-defined security functions;" SI-6(b)[3] "the information system performs this verification one or more of the following:" SI-6(b)[3][a] "at organization-defined system transitional states;" SI-6(b)[3][b] "upon command by user with appropriate privilege; and/or" SI-6(b)[3][c] "with the organization-defined frequency;" SI-6(c) SI-6(c)[1] "the organization defines personnel or roles to be notified of failed security verification tests;" SI-6(c)[2] "the information system notifies organization-defined personnel or roles of failed security verification tests;" SI-6(d) SI-6(d)[1] "the organization defines alternative action(s) to be performed when anomalies are discovered;" SI-6(d)[2] "the information system performs one or more of the following actions when anomalies are discovered:" SI-6(d)[2][a] "shuts the information system down;" SI-6(d)[2][b] "restarts the information system; and/or" SI-6(d)[2][c] "performs organization-defined alternative action(s)." SYSTEM AND INFORMATION INTEGRITY SI-6(1) NOTIFICATION OF FAILED SECURITY TESTS "[Withdrawn: Incorporated into SI-6]." SYSTEM AND INFORMATION INTEGRITY SI-6(2) AUTOMATION SUPPORT FOR DISTRIBUTED TESTING "Determine if the information system implements automated mechanisms to support the management of distributed security testing." System and information integrity policy;procedures addressing security function verification;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for security function verification;automated mechanisms supporting and/or implementing the management of distributed security testing Organizational personnel with security function verification responsibilities;organizational personnel implementing, operating, and maintaining the information system;system/network administrators;organizational personnel with information security responsibilities SYSTEM AND INFORMATION INTEGRITY SI-6(3) REPORT VERIFICATION RESULTS "Determine if the organization:" System and information integrity policy;procedures addressing security function verification;information system design documentation;information system configuration settings and associated documentation;records of security function verification results;information system audit records;other relevant documents or records Organizational processes for reporting security function verification results;automated mechanisms supporting and/or implementing the reporting of security function verification results Organizational personnel with security function verification responsibilities;organizational personnel with information security responsibilities SI-6(3)[1] "defines personnel or roles designated to receive the results of security function verification; and" SI-6(3)[2] "reports the results of security function verification to organization-defined personnel or roles." SYSTEM AND INFORMATION INTEGRITY SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY "Determine if the organization:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;integrity verification tools and associated documentation;records generated/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes;information system audit records;other relevant documents or records Software, firmware, and information integrity verification tools Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;system/network administrators SI-7[1] SI-7[1][a] "defines software requiring integrity verification tools to be employed to detect unauthorized changes;" SI-7[1][b] "defines firmware requiring integrity verification tools to be employed to detect unauthorized changes;" SI-7[1][c] "defines information requiring integrity verification tools to be employed to detect unauthorized changes;" SI-7[2] "employs integrity verification tools to detect unauthorized changes to organization-defined:" SI-7[2][a] "software;" SI-7[2][b] "firmware; and" SI-7[2][c] "information." SYSTEM AND INFORMATION INTEGRITY SI-7(1) INTEGRITY CHECKS "Determine if:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;integrity verification tools and associated documentation;records of integrity scans;other relevant documents or records Software, firmware, and information integrity verification tools Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;system/network administrators;system developer SI-7(1)[1] "the organization defines:" SI-7(1)[1][a] "software requiring integrity checks to be performed;" SI-7(1)[1][b] "firmware requiring integrity checks to be performed;" SI-7(1)[1][c] "information requiring integrity checks to be performed;" SI-7(1)[2] "the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:" SI-7(1)[2][a] "software;" SI-7(1)[2][b] "firmware;" SI-7(1)[2][c] "information;" SI-7(1)[3] "the organization defines a frequency with which to perform an integrity check of organization-defined:" SI-7(1)[3][a] "software;" SI-7(1)[3][b] "firmware;" SI-7(1)[3][c] "information;" SI-7(1)[4] "the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:" SI-7(1)[4][a] "at startup;" SI-7(1)[4][b] "at organization-defined transitional states or security-relevant events; and/or" SI-7(1)[4][c] "with the organization-defined frequency." SYSTEM AND INFORMATION INTEGRITY SI-7(2) AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS "Determine if the organization:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;integrity verification tools and associated documentation;records of integrity scans;automated tools supporting alerts and notifications for integrity discrepancies;alerts/notifications provided upon discovering discrepancies during integrity verifications;information system audit records;other relevant documents or records Software, firmware, and information integrity verification tools;automated mechanisms providing integrity discrepancy notifications Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities SI-7(2)[1] "defines personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification; and" SI-7(2)[2] "employs automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification." SYSTEM AND INFORMATION INTEGRITY SI-7(3) CENTRALLY-MANAGED INTEGRITY TOOLS "Determine if the organization employs centrally managed integrity verification tools." System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;integrity verification tools and associated documentation;records of integrity scans;other relevant documents or records Automated mechanisms supporting and/or implementing central management of integrity verification tools Organizational personnel with responsibility for central management of integrity verification tools;organizational personnel with information security responsibilities SYSTEM AND INFORMATION INTEGRITY SI-7(4) TAMPER-EVIDENT PACKAGING "[Withdrawn: Incorporated into SA-12]." SYSTEM AND INFORMATION INTEGRITY SI-7(5) AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS "Determine if:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;integrity verification tools and associated documentation;records of integrity scans;records of integrity checks and responses to integrity violations;information audit records;other relevant documents or records Software, firmware, and information integrity verification tools;automated mechanisms providing an automated response to integrity violations;automated mechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;system/network administrators;system developer SI-7(5)[1] "the organization defines security safeguards to be implemented when integrity violations are discovered;" SI-7(5)[2] "the information system automatically performs one or more of the following actions when integrity violations are discovered:" SI-7(5)[2][a] "shuts the information system down;" SI-7(5)[2][b] "restarts the information system; and/or" SI-7(5)[2][c] "implements the organization-defined security safeguards." SYSTEM AND INFORMATION INTEGRITY SI-7(6) CRYPTOGRAPHIC PROTECTION "Determine if the information system employs cryptographic mechanism to detect unauthorized changes to:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;cryptographic mechanisms and associated documentation;records of detected unauthorized changes to software, firmware, and information;information system audit records;other relevant documents or records Software, firmware, and information integrity verification tools;cryptographic mechanisms implementing software, firmware, and information integrity Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;system/network administrators;system developer SI-7(6)[1] "software;" SI-7(6)[2] "firmware; and" SI-7(6)[3] "information." SYSTEM AND INFORMATION INTEGRITY SI-7(7) INTEGRATION OF DETECTION AND RESPONSE "Determine if the organization:" System and information integrity policy;procedures addressing software, firmware, and information integrity;procedures addressing incident response;information system design documentation;information system configuration settings and associated documentation;incident response records;information audit records;other relevant documents or records Organizational processes for incorporating detection of unauthorized security-relevant changes into the incident response capability;software, firmware, and information integrity verification tools;automated mechanisms supporting and/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;organizational personnel with incident response responsibilities SI-7(7)[1] "defines unauthorized security-relevant changes to the information system; and" SI-7(7)[2] "incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability." SYSTEM AND INFORMATION INTEGRITY SI-7(8) AUDITING CAPABILITY FOR SIGNIFICANT EVENTS "Determine if:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;integrity verification tools and associated documentation;records of integrity scans;incident response records, list of security-relevant changes to the information system;automated tools supporting alerts and notifications if unauthorized security changes are detected;information system audit records;other relevant documents or records Software, firmware, and information integrity verification tools;automated mechanisms supporting and/or implementing the capability to audit potential integrity violations;automated mechanisms supporting and/or implementing alerts about potential integrity violations Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;system/network administrators;system developer SI-7(8)[1] "the organization defines personnel or roles to be alerted upon detection of a potential integrity violation;" SI-7(8)[2] "the organization defines other actions to be taken upon detection of a potential integrity violation;" SI-7(8)[3] SI-7(8)[3][a] "the information system, upon detection of a potential integrity violation, provides the capability to audit the event;" SI-7(8)[3][b] "the information system, upon detection of a potential integrity violation, initiates one or more of the following actions:" SI-7(8)[3][b][1] "generates an audit record;" SI-7(8)[3][b][2] "alerts current user;" SI-7(8)[3][b][3] "alerts organization-defined personnel or roles; and/or" SI-7(8)[3][b][4] "organization-defined other actions." SYSTEM AND INFORMATION INTEGRITY SI-7(9) VERIFY BOOT PROCESS "Determine if:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;integrity verification tools and associated documentation;documentation;records of integrity verification scans;information system audit records;other relevant documents or records Software, firmware, and information integrity verification tools;automated mechanisms supporting and/or implementing integrity verification of the boot process Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;system developer SI-7(9)[1] "the organization defines devices requiring integrity verification of the boot process; and" SI-7(9)[2] "the information system verifies the integrity of the boot process of organization-defined devices." SYSTEM AND INFORMATION INTEGRITY SI-7(10) PROTECTION OF BOOT SOFTWARE "Determine if:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;integrity verification tools and associated documentation;records of integrity verification scans;information system audit records;other relevant documents or records Software, firmware, and information integrity verification tools;automated mechanisms supporting and/or implementing protection of the integrity of boot firmware;safeguards implementing protection of the integrity of boot firmware Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;system/network administrators;system developer SI-7(10)[1] "the organization defines security safeguards to be implemented to protect the integrity of boot firmware in devices;" SI-7(10)[2] "the organization defines devices requiring organization-defined security safeguards to be implemented to protect the integrity of boot firmware; and" SI-7(10)[3] "the information system implements organization-defined security safeguards to protect the integrity of boot firmware in organization-defined devices." SYSTEM AND INFORMATION INTEGRITY SI-7(11) CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES "Determine if the organization:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Software, firmware, and information integrity verification tools;automated mechanisms supporting and/or implementing execution of software in a confined environment (physical and/or virtual);automated mechanisms supporting and/or implementing limited privileges in the confined environment Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities SI-7(11)[1] "defines user-installed software to be executed in a confined physical or virtual machine environment with limited privileges; and" SI-7(11)[2] "requires that organization-defined user-installed software execute in a confined physical or virtual machine environment with limited privileges." SYSTEM AND INFORMATION INTEGRITY SI-7(12) INTEGRITY VERIFICATION "Determine if the organization:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;integrity verification records;information system audit records;other relevant documents or records Software, firmware, and information integrity verification tools;automated mechanisms supporting and/or implementing verification of the integrity of user-installed software prior to execution Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities SI-7(12)[1] "defines user-installed software requiring integrity verification prior to execution; and" SI-7(12)[2] "requires that the integrity of organization-defined user-installed software be verified prior to execution." SYSTEM AND INFORMATION INTEGRITY SI-7(13) CODE EXECUTION IN PROTECTED ENVIRONMENTS "Determine if the organization:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;approval records for execution of binary and machine-executable code;information system audit records;other relevant documents or records Software, firmware, and information integrity verification tools;automated mechanisms supporting and/or implementing approvals for execution of binary or machine-executable code Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;system/network administrators;system developer SI-7(13)[1] "allows execution of binary or machine-executable code obtained from sources with limited or no warranty;" SI-7(13)[2] "allows execution of binary or machine-executable code without the provision of source code only in confined physical or virtual machines;" SI-7(13)[3] "defines personnel or roles required to provide explicit approval to allow execution of binary or machine-executable code; and" SI-7(13)[4] "allows execution of binary or machine-executable code with the explicit approval of organization-defined personnel or roles." SYSTEM AND INFORMATION INTEGRITY SI-7(14) BINARY OR MACHINE EXECUTABLE CODE "Determine if the organization:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;approval records for execution of binary and machine-executable code;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing prohibition of the execution of binary or machine-executable code Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;authorizing official;system/network administrators;system developer SI-7(14)(a) SI-7(14)(a)[1] "prohibits the use of binary or machine-executable code from sources with limited or no warranty;" SI-7(14)(a)[2] "prohibits the use of binary or machine-executable code without the provision of source code;" SI-7(14)(b) SI-7(14)(b)[1] "provides exceptions to the source code requirement only for compelling mission/operational requirements; and" SI-7(14)(b)[2] "provides exceptions to the source code requirement only with the approval of the authorizing official." SYSTEM AND INFORMATION INTEGRITY SI-7(15) CODE AUTHENTICATION "Determine if:" System and information integrity policy;procedures addressing software, firmware, and information integrity;information system design documentation;information system configuration settings and associated documentation;cryptographic mechanisms and associated documentation;information system audit records;other relevant documents or records Cryptographic mechanisms authenticating software/firmware prior to installation Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;system/network administrators;system developer SI-7(15)[1] SI-7(15)[1][a] "the organization defines software components to be authenticated by cryptographic mechanisms prior to installation;" SI-7(15)[1][b] "the organization defines firmware components to be authenticated by cryptographic mechanisms prior to installation;" SI-7(15)[2] SI-7(15)[2][a] "the information system implements cryptographic mechanisms to authenticate organization-defined software components prior to installation; and" SI-7(15)[2][b] "the information system implements cryptographic mechanisms to authenticate organization-defined firmware components prior to installation." SYSTEM AND INFORMATION INTEGRITY SI-7(16) TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION "Determine if the organization:" System and information integrity policy;procedures addressing software and information integrity;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Software, firmware, and information integrity verification tools;automated mechanisms supporting and/or implementing time limits on process execution without supervision Organizational personnel with responsibility for software, firmware, and/or information integrity;organizational personnel with information security responsibilities;system/network administrators;system developer SI-7(16)[1] "defines a time period as the maximum period allowed for processes to execute without supervision; and" SI-7(16)[2] "does not allow processes to execute without supervision for more than the organization-defined time period." SYSTEM AND INFORMATION INTEGRITY SI-8 SPAM PROTECTION "Determine if the organization:" System and information integrity policy;configuration management policy and procedures (CM-1);procedures addressing spam protection;spam protection mechanisms;records of spam protection updates;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for implementing spam protection;automated mechanisms supporting and/or implementing spam protection Organizational personnel with responsibility for spam protection;organizational personnel with information security responsibilities;system/network administrators;system developer SI-8(a) "employs spam protection mechanisms:" SI-8(a)[1] "at information system entry points to detect unsolicited messages;" SI-8(a)[2] "at information system entry points to take action on unsolicited messages;" SI-8(a)[3] "at information system exit points to detect unsolicited messages;" SI-8(a)[4] "at information system exit points to take action on unsolicited messages; and" SI-8(b) "updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures." SYSTEM AND INFORMATION INTEGRITY SI-8(1) CENTRAL MANAGEMENT "Determine if the organization centrally manages spam protection mechanisms." System and information integrity policy;procedures addressing spam protection;spam protection mechanisms;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for central management of spam protection;automated mechanisms supporting and/or implementing central management of spam protection Organizational personnel with responsibility for spam protection;organizational personnel with information security responsibilities;system/network administrators SYSTEM AND INFORMATION INTEGRITY SI-8(2) AUTOMATIC UPDATES "Determine if the information system automatically updates spam protection mechanisms." System and information integrity policy;procedures addressing spam protection;spam protection mechanisms;records of spam protection updates;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for spam protection;automated mechanisms supporting and/or implementing automatic updates to spam protection mechanisms Organizational personnel with responsibility for spam protection;organizational personnel with information security responsibilities;system/network administrators;system developer SYSTEM AND INFORMATION INTEGRITY SI-8(3) CONTINUOUS LEARNING CAPABILITY "Determine if the information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic." System and information integrity policy;procedures addressing spam protection;spam protection mechanisms;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for spam protection;automated mechanisms supporting and/or implementing spam protection mechanisms with a learning capability Organizational personnel with responsibility for spam protection;organizational personnel with information security responsibilities;system/network administrators;system developer SYSTEM AND INFORMATION INTEGRITY SI-9 INFORMATION INPUT RESTRICTIONS "[Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6]." SYSTEM AND INFORMATION INTEGRITY SI-10 INFORMATION INPUT VALIDATION "Determine if:" System and information integrity policy;access control policy and procedures;separation of duties policy and procedures;procedures addressing information input validation;documentation for automated tools and applications to verify validity of information;list of information inputs requiring validity checks;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing validity checks on information inputs Organizational personnel with responsibility for information input validation;organizational personnel with information security responsibilities;system/network administrators;system developer SI-10[1] "the organization defines information inputs requiring validity checks; and" SI-10[2] "the information system checks the validity of organization-defined information inputs." SYSTEM AND INFORMATION INTEGRITY SI-10(1) MANUAL OVERRIDE CAPABILITY "Determine if:" System and information integrity policy;access control policy and procedures;separation of duties policy and procedures;procedures addressing information input validation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for use of manual override capability;automated mechanisms supporting and/or implementing manual override capability for input validation;automated mechanisms supporting and/or implementing auditing of the use of manual override capability Organizational personnel with responsibility for information input validation;organizational personnel with information security responsibilities;system/network administrators;system developer SI-10(1)(a) SI-10(1)(a)[1] "the organization defines information inputs for which the information system provides a manual override capability for input validation;" SI-10(1)(a)[2] "the information system provides a manual override capability for input validation of organization-defined inputs;" SI-10(1)(b) SI-10(1)(b)[1] "the organization defines authorized individuals who can use the manual override capability;" SI-10(1)(b)[2] "the information system restricts the use of manual override capability to organization-defined authorized individuals; and" SI-10(1)(c) "the information system audits the use of the manual override capability." SYSTEM AND INFORMATION INTEGRITY SI-10(2) REVIEW / RESOLUTION OF ERRORS "Determine if the organization:" System and information integrity policy;access control policy and procedures;separation of duties policy and procedures;procedures addressing information input validation;information system design documentation;information system configuration settings and associated documentation;review records of information input validation errors and resulting resolutions;information input validation error logs or records;information system audit records;other relevant documents or records Organizational processes for review and resolution of input validation errors;automated mechanisms supporting and/or implementing review and resolution of input validation errors Organizational personnel with responsibility for information input validation;organizational personnel with information security responsibilities;system/network administrators SI-10(2)[1] "defines a time period within which input validation errors are to be reviewed and resolved; and" SI-10(2)[2] "ensures that input validation errors are reviewed and resolved within the organization-defined time period." SYSTEM AND INFORMATION INTEGRITY SI-10(3) PREDICTABLE BEHAVIOR "Determine if the information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received." System and information integrity policy;procedures addressing information input validation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing predictable behavior when invalid inputs are received Organizational personnel with responsibility for information input validation;organizational personnel with information security responsibilities;system/network administrators;system developer SYSTEM AND INFORMATION INTEGRITY SI-10(4) REVIEW / TIMING INTERACTIONS "Determine if the organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs." System and information integrity policy;procedures addressing information input validation;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for determining appropriate responses to invalid inputs;automated mechanisms supporting and/or implementing responses to invalid inputs Organizational personnel with responsibility for information input validation;organizational personnel with information security responsibilities;system/network administrators;system developer SYSTEM AND INFORMATION INTEGRITY SI-10(5) RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS "Determine if the organization:" System and information integrity policy;procedures addressing information input validation;information system design documentation;information system configuration settings and associated documentation;list of trusted sources for information inputs;list of acceptable formats for input restrictions;information system audit records;other relevant documents or records Organizational processes for restricting information inputs;automated mechanisms supporting and/or implementing restriction of information inputs Organizational personnel with responsibility for information input validation;organizational personnel with information security responsibilities;system/network administrators;system developer SI-10(5)[1] "defines trusted sources to which the use of information inputs is to be restricted;" SI-10(5)[2] "defines formats to which the use of information inputs is to be restricted;" SI-10(5)[3] "restricts the use of information inputs to:" SI-10(5)[3][a] "organization-defined trust sources; and/or" SI-10(5)[3][b] "organization-defined formats." SYSTEM AND INFORMATION INTEGRITY SI-11 ERROR HANDLING "Determine if:" System and information integrity policy;procedures addressing information system error handling;information system design documentation;information system configuration settings and associated documentation;documentation providing structure/content of error messages;information system audit records;other relevant documents or records Organizational processes for error handling;automated mechanisms supporting and/or implementing error handling;automated mechanisms supporting and/or implementing management of error messages Organizational personnel with responsibility for information input validation;organizational personnel with information security responsibilities;system/network administrators;system developer SI-11(a) "the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries;" SI-11(b) SI-11(b)[1] "the organization defines personnel or roles to whom error messages are to be revealed; and" SI-11(b)[2] "the information system reveals error messages only to organization-defined personnel or roles." SYSTEM AND INFORMATION INTEGRITY SI-12 INFORMATION HANDLING AND RETENTION "Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:" System and information integrity policy;federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention;media protection policy and procedures;procedures addressing information system output handling and retention;information retention records, other relevant documents or records Organizational processes for information handling and retention;automated mechanisms supporting and/or implementing information handling and retention Organizational personnel with responsibility for information handling and retention;organizational personnel with information security responsibilities/network administrators SI-12[1] "handles information within the information system;" SI-12[2] "handles output from the information system;" SI-12[3] "retains information within the information system; and" SI-12[4] "retains output from the information system." SYSTEM AND INFORMATION INTEGRITY SI-13 PREDICTABLE FAILURE PREVENTION "Determine if the organization:" System and information integrity policy;procedures addressing predictable failure prevention;information system design documentation;information system configuration settings and associated documentation;list of MTTF substitution criteria;information system audit records;other relevant documents or records Organizational processes for managing MTTF Organizational personnel with responsibility for MTTF determinations and activities;organizational personnel with information security responsibilities;system/network administrators;organizational personnel with contingency planning responsibilities SI-13(a) SI-13(a)[1] "defines information system components for which mean time to failure (MTTF) should be determined;" SI-13(a)[2] "determines MTTF for organization-defined information system components in specific environments of operation;" SI-13(b) SI-13(b)[1] "defines MTTF substitution criteria to be used as a means to exchange active and standby components;" SI-13(b)[2] "provides substitute information system components at organization-defined MTTF substitution criteria; and" SI-13(b)[3] "provides a means to exchange active and standby components at organization-defined MTTF substitution criteria." SYSTEM AND INFORMATION INTEGRITY SI-13(1) TRANSFERRING COMPONENT RESPONSIBILITIES "Determine if the organization:" System and information integrity policy;procedures addressing predictable failure prevention;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for managing MTTF;automated mechanisms supporting and/or implementing transfer of component responsibilities to substitute components Organizational personnel with responsibility for MTTF activities;organizational personnel with information security responsibilities;system/network administrators;organizational personnel with contingency planning responsibilities SI-13(1)[1] "defines maximum fraction or percentage of mean time to failure within which to transfer the responsibilities of an information system component that is out of service to a substitute component; and" SI-13(1)[2] "takes the information system component out of service by transferring component responsibilities to substitute components no later than organization-defined fraction or percentage of mean time to failure." SYSTEM AND INFORMATION INTEGRITY SI-13(2) TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION "[Withdrawn: Incorporated into SI-7(16)]." SYSTEM AND INFORMATION INTEGRITY SI-13(3) MANUAL TRANSFER BETWEEN COMPONENTS "Determine if the organization:" System and information integrity policy;procedures addressing predictable failure prevention;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for managing MTTF and conducting the manual transfer between active and standby components Organizational personnel with responsibility for MTTF activities;organizational personnel with information security responsibilities;system/network administrators;organizational personnel with contingency planning responsibilities SI-13(3)[1] "defines the minimum frequency with which the organization manually initiates a transfer between active and standby information system components if the mean time to failure exceeds the organization-defined time period;" SI-13(3)[2] "defines the time period that the mean time to failure must exceed before the organization manually initiates a transfer between active and standby information system components; and" SI-13(3)[3] "manually initiates transfers between active and standby information system components at the organization-defined frequency if the mean time to failure exceeds the organization-defined time period." SYSTEM AND INFORMATION INTEGRITY SI-13(4) STANDBY COMPONENT INSTALLATION / NOTIFICATION "Determine if the organization:" System and information integrity policy;procedures addressing predictable failure prevention;information system design documentation;information system configuration settings and associated documentation;list of actions to be taken once information system component failure is detected;information system audit records;other relevant documents or records Organizational processes for managing MTTF;automated mechanisms supporting and/or implementing transparent installation of standby components;automated mechanisms supporting and/or implementing alarms or system shutdown if component failures are detected Organizational personnel with responsibility for MTTF activities;organizational personnel with information security responsibilities;system/network administrators;organizational personnel with contingency planning responsibilities SI-13(4)(a) SI-13(4)(a)[1] "defines a time period for standby information system components to be successfully and transparently installed when information system component failures are detected;" SI-13(4)(a)[2] "ensures that the standby components are successfully and transparently installed within the organization-defined time period;" SI-13(4)(b) SI-13(4)(b)[1] "defines an alarm to be activated when information system component failures are detected;" SI-13(4)(b)[2] "if information system component failures are detected, does one or more of the following:" SI-13(4)(b)[2][a] "activates the organization-defined alarm; and/or" SI-13(4)(b)[2][b] "automatically shuts down the information system." SYSTEM AND INFORMATION INTEGRITY SI-13(5) FAILOVER CAPABILITY "Determine if the organization:" System and information integrity policy;procedures addressing predictable failure prevention;information system design documentation;information system configuration settings and associated documentation;documentation describing failover capability provided for the information system;information system audit records;other relevant documents or records Organizational processes for managing failover capability;automated mechanisms supporting and/or implementing failover capability Organizational personnel with responsibility for failover capability;organizational personnel with information security responsibilities;system/network administrators;organizational personnel with contingency planning responsibilities SI-13(5)[1] "defines failover capability to be provided for the information system;" SI-13(5)[2] "provides one of the following organization-defined failover capabilities for the information system:" SI-13(5)[2][a] "real-time failover capability; and/or" SI-13(5)[2][b] "near real-time failover capability." SYSTEM AND INFORMATION INTEGRITY SI-14 NON-PERSISTENCE "Determine if the organization:" System and information integrity policy;procedures addressing non-persistence for information system components;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing initiation and termination of non-persistent components Organizational personnel with responsibility for non-persistence;organizational personnel with information security responsibilities;system/network administrators;system developer SI-14[1] "defines non-persistent information system components and services to be implemented;" SI-14[2] SI-14[2][a] "defines a frequency to terminate non-persistent organization-defined components and services that are initiated in a known state;" SI-14[2][b] "implements non-persistent organization-defined information system components and services that are initiated in a known state and terminated one or more of the following:" SI-14[2][b][1] "upon end of session of use; and/or" SI-14[2][b][2] "periodically at the organization-defined frequency." SYSTEM AND INFORMATION INTEGRITY SI-14(1) REFRESH FROM TRUSTED SOURCES "Determine if the organization:" System and information integrity policy;procedures addressing non-persistence for information system components;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for defining and obtaining component and service refreshes from trusted sources;automated mechanisms supporting and/or implementing component and service refreshes Organizational personnel with responsibility for obtaining component and service refreshes from trusted sources;organizational personnel with information security responsibilities SI-14(1)[1] "defines trusted sources from which software and data employed during information system component and service refreshes are to be obtained; and" SI-14(1)[2] "ensures that software and data employed during information system component and service refreshes are obtained from organization-defined trusted sources." SYSTEM AND INFORMATION INTEGRITY SI-15 INFORMATION OUTPUT FILTERING "Determine if:" System and information integrity policy;procedures addressing information output filtering;information system design documentation;information system configuration settings and associated documentation;information system audit records;other relevant documents or records Organizational processes for validating information output;automated mechanisms supporting and/or implementing information output validation Organizational personnel with responsibility for validating information output;organizational personnel with information security responsibilities;system/network administrators;system developer SI-15[1] "the organization defines software programs and/or applications whose information output requires validation to ensure that the information is consistent with the expected content; and" SI-15[2] "the information system validates information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content." SYSTEM AND INFORMATION INTEGRITY SI-16 MEMORY PROTECTION "Determine if:" System and information integrity policy;procedures addressing memory protection for the information system;information system design documentation;information system configuration settings and associated documentation;list of security safeguards protecting information system memory from unauthorized code execution;information system audit records;other relevant documents or records Automated mechanisms supporting and/or implementing safeguards to protect information system memory from unauthorized code execution Organizational personnel with responsibility for memory protection;organizational personnel with information security responsibilities;system/network administrators;system developer SI-16[1] "the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution; and" SI-16[2] "the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution." SYSTEM AND INFORMATION INTEGRITY SI-17 FAIL-SAFE PROCEDURES "Determine if:" System and information integrity policy;procedures addressing memory protection for the information system;information system design documentation;information system configuration settings and associated documentation;list of security safeguards protecting information system memory from unauthorized code execution;information system audit records;other relevant documents or records Organizational fail-safe procedures;automated mechanisms supporting and/or implementing fail-safe procedures Organizational personnel with responsibility for fail-safe procedures;organizational personnel with information security responsibilities;system/network administrators;system developer SI-17[1] "the organization defines fail-safe procedures to be implemented when organization-defined failure conditions occur;" SI-17[2] "the organization defines failure conditions resulting in organization-defined fail-safe procedures being implemented when such conditions occur; and" SI-17[3] "the information system implements organization-defined fail-safe procedures when organization-defined failure conditions occur."