forked from opencontrol/standards
-
Notifications
You must be signed in to change notification settings - Fork 1
/
nist-800-53-rev3.yaml
1924 lines (1924 loc) · 117 KB
/
nist-800-53-rev3.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
name: NIST-800-53 rev3
AC-1:
family: AC
name: Access Control Policy And Procedures
description: |-
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency].
AC-2:
family: AC
name: Account Management
description: |-
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
AC-2 (1):
family: AC
name: Automated System Account Management
description: '"The organization employs automated mechanisms to support the management
of information system accounts."'
AC-2 (2):
family: AC
name: Removal Of Temporary / Emergency Accounts
description: '"The information system automatically [Selection: removes; disables]
temporary and emergency accounts after [Assignment: organization-defined time
period for each type of account]."'
AC-2 (3):
family: AC
name: Disable Inactive Accounts
description: '"The information system automatically disables inactive accounts after
[Assignment: organization-defined time period]."'
AC-2 (4):
family: AC
name: Automated Audit Actions
description: '"The information system automatically audits account creation, modification,
enabling, disabling, and removal actions, and notifies [Assignment: organization-defined
personnel or roles]."'
AC-3:
family: AC
name: Access Enforcement
description: '"The information system enforces approved authorizations for logical
access to information and system resources in accordance with applicable
access control policies."'
AC-4:
family: AC
name: Information Flow Enforcement
description: '"The information system enforces approved authorizations for controlling
the flow of information within the system and between interconnected systems based
on [Assignment: organization-defined information flow control policies]."'
AC-5:
family: AC
name: Separation Of Duties
description: |-
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
AC-6:
family: AC
name: Least Privilege
description: '"The organization employs the principle of least privilege, allowing
only authorized accesses for users (or processes acting on behalf of users) which
are necessary to accomplish assigned tasks in accordance with organizational missions
and business functions."'
AC-6 (1):
family: AC
name: Authorize Access To Security Functions
description: '"The organization explicitly authorizes access to [Assignment: organization-defined
security functions (deployed in hardware, software, and firmware) and security-relevant
information]."'
AC-6 (2):
family: AC
name: Non-Privileged Access For Nonsecurity Functions
description: '"The organization requires that users of information system accounts,
or roles, with access to [Assignment: organization-defined security functions
or security-relevant information], use non-privileged accounts or roles, when
accessing nonsecurity functions."'
AC-6 (5):
family: AC
name: Privileged Accounts
description: '"The organization restricts privileged accounts on the information
system to [Assignment: organization-defined personnel or roles]."'
AC-6 (9):
family: AC
name: Auditing Use Of Privileged Functions
description: '"The information system audits the execution of privileged functions."'
AC-6 (10):
family: AC
name: Prohibit Non-Privileged Users From Executing Privileged Functions
description: '"The information system prevents non-privileged users from executing
privileged functions to include disabling, circumventing, or altering implemented
security safeguards/countermeasures."'
AC-7:
family: AC
name: Unsuccessful Logon Attempts
description: |-
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
AC-8:
family: AC
name: System Use Notification
description: |-
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system.
AC-11:
family: AC
name: Session Lock
description: |-
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.
AC-11 (1):
family: AC
name: Pattern-Hiding Displays
description: '"The information system conceals, via the session lock, information
previously visible on the display with a publicly viewable image."'
AC-12:
family: AC
name: Session Termination
description: '"The information system automatically terminates a user session after
[Assignment: organization-defined conditions or trigger events requiring session
disconnect]."'
AC-14:
family: AC
name: Permitted Actions Without Identification Or Authentication
description: |-
The organization:
a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.
AC-17:
family: AC
name: Remote Access
description: |-
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
AC-17 (1):
family: AC
name: Automated Monitoring / Control
description: '"The information system monitors and controls remote access methods."'
AC-17 (2):
family: AC
name: Protection Of Confidentiality / Integrity Using Encryption
description: '"The information system implements cryptographic mechanisms to protect
the confidentiality and integrity of remote access sessions."'
AC-17 (3):
family: AC
name: Managed Access Control Points
description: '"The information system routes all remote accesses through [Assignment:
organization-defined number] managed network access control points."'
AC-17 (4):
family: AC
name: Privileged Commands / Access
description: |-
The organization:
(4)(a). Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(4)(b). Documents the rationale for such access in the security plan for the information system.
AC-18:
family: AC
name: Wireless Access
description: |-
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections.
AC-18 (1):
family: AC
name: Authentication And Encryption
description: '"The information system protects wireless access to the system using
authentication of [Selection (one or more): users; devices] and encryption."'
AC-19:
family: AC
name: Access Control For Mobile Devices
description: |-
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems.
AC-19 (5):
family: AC
name: Full Device / Container-Based Encryption
description: '"The organization employs [Selection: full-device encryption; container
encryption] to protect the confidentiality and integrity of information on [Assignment:
organization-defined mobile devices]."'
AC-20:
family: AC
name: Use Of External Information Systems
description: |-
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from external information systems; and
b. Process, store, or transmit organization-controlled information using external information systems.
AC-20 (1):
family: AC
name: Limits On Authorized Use
description: |-
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(1)(a). Verifies the implementation of required security controls on the external system as specified in the organization�s information security policy and security plan; or
(1)(b). Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.
AC-20 (2):
family: AC
name: Portable Storage Devices
description: '"The organization [Selection: restricts; prohibits] the use of organization-controlled
portable storage devices by authorized individuals on external information systems."'
AC-21:
family: AC
name: Information Sharing
description: |-
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
AC-22:
family: AC
name: Publicly Accessible Content
description: |-
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.
AT-1:
family: AT
name: Security Awareness And Training Policy And Procedures
description: |-
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
AT-2:
family: AT
name: Security Awareness Training
description: |-
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
AT-2 (2):
family: AT
name: Insider Threat
description: '"The organization includes security awareness training on recognizing
and reporting potential indicators of insider threat."'
AT-3:
family: AT
name: Role-Based Security Training
description: |-
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
AT-4:
family: AT
name: Security Training Records
description: |-
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
AU-1:
family: AU
name: Audit And Accountability Policy And Procedures
description: |-
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].
AU-2:
family: AU
name: Audit Events
description: |-
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
AU-2 (3):
family: AU
name: Reviews And Updates
description: '"The organization reviews and updates the audited events [Assignment:
organization-defined frequency]."'
AU-3:
family: AU
name: Content Of Audit Records
description: '"The information system generates audit records containing information
that establishes what type of event occurred, when the event occurred, where the
event occurred, the source of the event, the outcome of the event, and the identity
of any individuals or subjects associated with the event."'
AU-3 (1):
family: AU
name: Additional Audit Information
description: '"The information system generates audit records containing the following
additional information: [Assignment: organization-defined additional, more detailed
information]."'
AU-4:
family: AU
name: Audit Storage Capacity
description: '"The organization allocates audit record storage capacity in accordance
with [Assignment: organization-defined audit record storage requirements]."'
AU-5:
family: AU
name: Response To Audit Processing Failures
description: |-
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
AU-6:
family: AU
name: Audit Review, Analysis, And Reporting
description: |-
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles].
AU-6 (1):
family: AU
name: Process Integration
description: '"The organization employs automated mechanisms to integrate audit
review, analysis, and reporting processes to support organizational processes
for investigation and response to suspicious activities."'
AU-6 (3):
family: AU
name: Correlate Audit Repositories
description: '"The organization analyzes and correlates audit records across different
repositories to gain organization-wide situational awareness."'
AU-7:
family: AU
name: Audit Reduction And Report Generation
description: |-
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records.
AU-7 (1):
family: AU
name: Automatic Processing
description: '"The information system provides the capability to process audit records
for events of interest based on [Assignment: organization-defined audit fields
within audit records]."'
AU-8:
family: AU
name: Time Stamps
description: |-
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].
AU-8 (1):
family: AU
name: Synchronization With Authoritative Time Source
description: |-
The information system:
(1)(a). Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(1)(b). Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period].
AU-9:
family: AU
name: Protection Of Audit Information
description: '"The information system protects audit information and audit tools
from unauthorized access, modification, and deletion."'
AU-9 (4):
family: AU
name: Access By Subset Of Privileged Users
description: '"The organization authorizes access to management of audit functionality
to only [Assignment: organization-defined subset of privileged users]."'
AU-11:
family: AU
name: Audit Record Retention
description: '"The organization retains audit records for [Assignment: organization-defined
time period consistent with records retention policy] to provide support for after-the-fact
investigations of security incidents and to meet regulatory and organizational
information retention requirements."'
AU-12:
family: AU
name: Audit Generation
description: |-
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
CA-1:
family: CA
name: Security Assessment And Authorization Policy And Procedures
description: |-
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
CA-2:
family: CA
name: Security Assessments
description: |-
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CA-2 (1):
family: CA
name: Independent Assessors
description: '"The organization employs assessors or assessment teams with [Assignment:
organization-defined level of independence] to conduct security control assessments."'
CA-3:
family: CA
name: System Interconnections
description: |-
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
CA-3 (5):
family: CA
name: Restrictions On External System Connections
description: '"The organization employs [Selection: allow-all, deny-by-exception;
deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined
information systems] to connect to external information systems."'
CA-5:
family: CA
name: Plan Of Action And Milestones
description: |-
The organization:
a. Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
CA-6:
family: CA
name: Security Authorization
description: |-
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization-defined frequency].
CA-7:
family: CA
name: Continuous Monitoring
description: |-
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CA-7 (1):
family: CA
name: Independent Assessment
description: '"The organization employs assessors or assessment teams with [Assignment:
organization-defined level of independence] to monitor the security controls in
the information system on an ongoing basis."'
CA-9:
family: CA
name: Internal System Connections
description: |-
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.
CM-1:
family: CM
name: Configuration Management Policy And Procedures
description: |-
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency].
CM-2:
family: CM
name: Baseline Configuration
description: '"The organization develops, documents, and maintains under configuration
control, a current baseline configuration of the information system."'
CM-2 (1):
family: CM
name: Reviews And Updates
description: |-
The organization reviews and updates the baseline configuration of the information system:
(1)(a). [Assignment: organization-defined frequency];
(1)(b). When required due to [Assignment organization-defined circumstances]; and
(1)(c). As an integral part of information system component installations and upgrades.
CM-2 (3):
family: CM
name: Retention Of Previous Configurations
description: '"The organization retains [Assignment: organization-defined previous
versions of baseline configurations of the information system] to support rollback."'
CM-2 (7):
family: CM
name: Configure Systems, Components, Or Devices For High-Risk Areas
description: |-
The organization:
(7)(a). Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(7)(b). Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.
CM-3:
family: CM
name: Configuration Change Control
description: |-
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CM-3 (2):
family: CM
name: Test / Validate / Document Changes
description: '"The organization tests, validates, and documents changes to the information
system before implementing the changes on the operational system."'
CM-4:
family: CM
name: Security Impact Analysis
description: '"The organization analyzes changes to the information system to determine
potential security impacts prior to change implementation."'
CM-5:
family: CM
name: Access Restrictions For Change
description: '"The organization defines, documents, approves, and enforces physical
and logical access restrictions associated with changes to the information system."'
CM-6:
family: CM
name: Configuration Settings
description: |-
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CM-7:
family: CM
name: Least Functionality
description: |-
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
CM-7 (1):
family: CM
name: Periodic Review
description: |-
The organization:
(1)(a). Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
(1)(b). Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].
CM-7 (2):
family: CM
name: Prevent Program Execution
description: '"The information system prevents program execution in accordance with
[Selection (one or more): [Assignment: organization-defined policies regarding
software program usage and restrictions]; rules authorizing the terms and conditions
of software program usage]."'
CM-7 (4):
family: CM
name: Unauthorized Software / Blacklisting
description: |-
The organization:
(4)(a). Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(4)(b). Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(4)(c). Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].
CM-8:
family: CM
name: Information System Component Inventory
description: |-
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
CM-8 (1):
family: CM
name: Updates During Installations / Removals
description: '"The organization updates the inventory of information system components
as an integral part of component installations, removals, and information system
updates."'
CM-8 (3):
family: CM
name: Automated Unauthorized Component Detection
description: |-
The organization:
(3)(a). Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(3)(b). Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].
CM-8 (5):
family: CM
name: No Duplicate Accounting Of Components
description: '"The organization verifies that all components within the authorization
boundary of the information system are not duplicated in other information system
component inventories."'
CM-9:
family: CM
name: Configuration Management Plan
description: |-
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.
CM-10:
family: CM
name: Software Usage Restrictions
description: |-
The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
CM-11:
family: CM
name: User-Installed Software
description: |-
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
CP-1:
family: CP
name: Contingency Planning Policy And Procedures
description: |-
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency].
CP-2:
family: CP
name: Contingency Plan
description: |-
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification.
CP-2 (1):
family: CP
name: Coordinate With Related Plans
description: '"The organization coordinates contingency plan development with organizational
elements responsible for related plans."'
CP-2 (3):
family: CP
name: Resume Essential Missions / Business Functions
description: '"The organization plans for the resumption of essential missions and
business functions within [Assignment: organization-defined time period] of contingency
plan activation."'
CP-2 (8):
family: CP
name: Identify Critical Assets
description: '"The organization identifies critical information system assets supporting
essential missions and business functions."'
CP-3:
family: CP
name: Contingency Training
description: |-
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
CP-4:
family: CP
name: Contingency Plan Testing
description: |-
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
CP-4 (1):
family: CP
name: Coordinate With Related Plans
description: '"The organization coordinates contingency plan testing with organizational
elements responsible for related plans."'
CP-6:
family: CP
name: Alternate Storage Site
description: |-
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
CP-6 (1):
family: CP
name: Separation From Primary Site
description: '"The organization identifies an alternate storage site that is separated
from the primary storage site to reduce susceptibility to the same threats."'
CP-6 (3):
family: CP
name: Accessibility
description: '"The organization identifies potential accessibility problems to the
alternate storage site in the event of an area-wide disruption or disaster and
outlines explicit mitigation actions."'
CP-7:
family: CP
name: Alternate Processing Site
description: |-
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.
CP-7 (1):
family: CP
name: Separation From Primary Site
description: '"The organization identifies an alternate processing site that is
separated from the primary processing site to reduce susceptibility to the same
threats."'
CP-7 (2):
family: CP
name: Accessibility
description: '"The organization identifies potential accessibility problems to the
alternate processing site in the event of an area-wide disruption or disaster
and outlines explicit mitigation actions."'
CP-7 (3):
family: CP
name: Priority Of Service
description: '"The organization develops alternate processing site agreements that
contain priority-of-service provisions in accordance with organizational availability
requirements (including recovery time objectives)."'
CP-8:
family: CP
name: Telecommunications Services
description: '"The organization establishes alternate telecommunications services
including necessary agreements to permit the resumption of [Assignment: organization-defined
information system operations] for essential missions and business functions within
[Assignment: organization-defined time period] when the primary telecommunications
capabilities are unavailable at either the primary or alternate processing or
storage sites."'
CP-8 (1):
family: CP
name: Priority Of Service Provisions
description: |-
The organization:
(1)(a). Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
(1)(b). Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
CP-8 (2):
family: CP
name: Single Points Of Failure
description: '"The organization obtains alternate telecommunications services to
reduce the likelihood of sharing a single point of failure with primary telecommunications
services."'
CP-9:
family: CP
name: Information System Backup
description: |-
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
CP-9 (1):
family: CP
name: Testing For Reliability / Integrity
description: '"The organization tests backup information [Assignment: organization-defined
frequency] to verify media reliability and information integrity."'
CP-10:
family: CP
name: Information System Recovery And Reconstitution
description: '"The organization provides for the recovery and reconstitution of
the information system to a known state after a disruption, compromise, or failure."'
CP-10 (2):
family: CP
name: Transaction Recovery
description: '"The information system implements transaction recovery for systems
that are transaction-based."'
IA-1:
family: IA
name: Identification And Authentication Policy And Procedures
description: |-
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency].
IA-2:
family: IA
name: Identification And Authentication (Organizational Users)
description: '"The information system uniquely identifies and authenticates organizational
users (or processes acting on behalf of organizational users)."'
IA-2 (1):
family: IA
name: Network Access To Privileged Accounts
description: '"The information system implements multifactor authentication for
network access to privileged accounts."'
IA-2 (2):
family: IA
name: Network Access To Non-Privileged Accounts
description: '"The information system implements multifactor authentication for
network access to non-privileged accounts."'
IA-2 (3):
family: IA
name: Local Access To Privileged Accounts
description: '"The information system implements multifactor authentication for
local access to privileged accounts."'
IA-2 (8):
family: IA
name: Network Access To Privileged Accounts - Replay Resistant
description: '"The information system implements replay-resistant authentication
mechanisms for network access to privileged accounts."'
IA-2 (11):
family: IA
name: Remote Access - Separate Device
description: '"The information system implements multifactor authentication for
remote access to privileged and non-privileged accounts such that one of the factors
is provided by a device separate from the system gaining access and the device
meets [Assignment: organization-defined strength of mechanism requirements]."'
IA-2 (12):
family: IA
name: Acceptance Of Piv Credentials
description: '"The information system accepts and electronically verifies Personal
Identity Verification (PIV) credentials."'
IA-3:
family: IA
name: Device Identification And Authentication
description: '"The information system uniquely identifies and authenticates [Assignment:
organization-defined specific and/or types of devices] before establishing a [Selection
(one or more): local; remote; network] connection."'
IA-4:
family: IA
name: Identifier Management
description: |-
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].
IA-5:
family: IA
name: Authenticator Management
description: |-
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
IA-5 (1):
family: IA
name: Password-Based Authentication
description: |-
The information system, for password-based authentication:
(1)(a). Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(1)(b). Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(1)(c). Stores and transmits only cryptographically-protected passwords;
(1)(d). Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(1)(e). Prohibits password reuse for [Assignment: organization-defined number] generations; and
(1)(f). Allows the use of a temporary password for system logons with an immediate change to a permanent password.
IA-5 (2):
family: IA
name: Pki-Based Authentication
description: |-
The information system, for PKI-based authentication:
(2)(a). Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(2)(b). Enforces authorized access to the corresponding private key;
(2)(c). Maps the authenticated identity to the account of the individual or group; and
(2)(d). Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
IA-5 (3):
family: IA
name: In-Person Or Trusted Third-Party Registration
description: '"The organization requires that the registration process to receive
[Assignment: organization-defined types of and/or specific authenticators] be
conducted [Selection: in person; by a trusted third party] before [Assignment:
organization-defined registration authority] with authorization by [Assignment:
organization-defined personnel or roles]."'
IA-5 (11):
family: IA
name: Hardware Token-Based Authentication
description: '"The information system, for hardware token-based authentication,
employs mechanisms that satisfy [Assignment: organization-defined token quality
requirements]."'
IA-6:
family: IA
name: Authenticator Feedback
description: '"The information system obscures feedback of authentication information
during the authentication process to protect the information from possible exploitation/use
by unauthorized individuals."'
IA-7:
family: IA
name: Cryptographic Module Authentication
description: '"The information system implements mechanisms for authentication to
a cryptographic module that meet the requirements of applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance for
such authentication."'
IA-8:
family: IA
name: Identification And Authentication (Non-Organizational Users)
description: '"The information system uniquely identifies and authenticates non-organizational
users (or processes acting on behalf of non-organizational users)."'
IA-8 (1):
family: IA
name: Acceptance Of Piv Credentials From Other Agencies
description: '"The information system accepts and electronically verifies Personal
Identity Verification (PIV) credentials from other federal agencies."'
IA-8 (2):
family: IA
name: Acceptance Of Third-Party Credentials
description: '"The information system accepts only FICAM-approved third-party credentials."'
IA-8 (3):
family: IA
name: Use Of Ficam-Approved Products
description: '"The organization employs only FICAM-approved information system components
in [Assignment: organization-defined information systems] to accept third-party
credentials."'
IA-8 (4):
family: IA
name: Use Of Ficam-Issued Profiles
description: '"The information system conforms to FICAM-issued profiles."'
IR-1:
family: IR
name: Incident Response Policy And Procedures
description: |-
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency].
IR-2:
family: IR
name: Incident Response Training
description: |-
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
IR-3:
family: IR
name: Incident Response Testing
description: '"The organization tests the incident response capability for the information
system [Assignment: organization-defined frequency] using [Assignment: organization-defined
tests] to determine the incident response effectiveness and documents the results."'
IR-3 (2):
family: IR
name: Coordination With Related Plans
description: '"The organization coordinates incident response testing with organizational
elements responsible for related plans."'
IR-4:
family: IR
name: Incident Handling
description: |-
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
IR-4 (1):
family: IR
name: Automated Incident Handling Processes
description: '"The organization employs automated mechanisms to support the incident
handling process."'
IR-5:
family: IR
name: Incident Monitoring
description: '"The organization tracks and documents information system security
incidents."'
IR-6:
family: IR
name: Incident Reporting