| CCI-001545 |
The organization defines a frequency for reviewing and updating the access control policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Access Control Policy And Procedures |
AC-1 |
AC-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-001546 |
The organization defines a frequency for reviewing and updating the access control procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Access Control Policy And Procedures |
AC-1 |
AC-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000001 |
The organization develops an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization conducting the inspection/assessment obtains and examines the access control policy to ensure the organization being inspected/assessed develops and documents an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization being inspected/assessed develops and documents an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
Access Control Policy And Procedures |
AC-1 |
AC-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000004 |
The organization develops procedures to facilitate the implementation of the access control policy and associated access controls. |
The organization conducting the inspection/assessment obtains and examines the procedures to facilitate the implementation of the access control policy and associated access controls to ensure the organization being inspected/assessed develops and documents procedures to facilitate the implementation of the access control policy and associated access controls. |
The organization being inspected/assessed develops and documents procedures to facilitate the implementation of the access control policy and associated access controls. |
Access Control Policy And Procedures |
AC-1 |
AC-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000002 |
The organization disseminates the access control policy to organization-defined personnel or roles. |
The organization conducting the inspection/assessment examines the access control policy via the organization's information sharing capability to ensure the organization being inspected/assessed disseminates the policy to all personnel.
DoD has defined the personnel or roles as all personnel. |
The organization being inspected/assessed disseminates via an information sharing capability to all personnel.
DoD has defined the personnel or roles as all personnel. |
Access Control Policy And Procedures |
AC-1 |
AC-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000003 |
The organization reviews and updates the access control policy in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed annually reviews and updates the access control policy.
DoD has defined the frequency as annually. |
The organization being inspected/assessed annually reviews and updates the access control policy.
The organization must maintain review and update activity as an audit trail.
DoD has defined the frequency as annually. |
Access Control Policy And Procedures |
AC-1 |
AC-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000005 |
The organization disseminates the procedures to facilitate access control policy and associated access controls to the organization-defined personnel or roles. |
The organization conducting the inspection/assessment examines the procedures to facilitate access control policy and associated access controls via the organization's information sharing capability to ensure the organization being inspected/assessed disseminates the procedures to all personnel.
DoD has defined the personnel or roles as all personnel. |
The organization being inspected/assessed disseminates via an information sharing capability to all personnel the procedures to facilitate access control policy and associated access controls.
DoD has defined the personnel or roles as all personnel. |
Access Control Policy And Procedures |
AC-1 |
AC-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-000006 |
The organization reviews and updates the access control procedures in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed annually reviews and updates the access control procedures.
DoD has defined the frequency as annually. |
The organization being inspected/assessed annually reviews and updates the access control procedures.
The organization must maintain review and update activity as an audit trail.
DoD has defined the frequency as annually. |
Access Control Policy And Procedures |
AC-1 |
AC-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-001547 |
The organization defines the frequency on which it will review information system accounts for compliance with account management requirements. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum, annually. |
DoD has defined the frequency as at a minimum, annually. |
Account Management |
AC-2 |
AC-2.23 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-000007 |
The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary). |
|
|
|
|
|
|
|
| CCI-000008 |
The organization establishes conditions for group membership. |
The organization conducting the inspection/assessment obtains and examines the documented conditions for adding accounts as members of groups to ensure that the conditions are established. |
The organization being inspected/assessed documents conditions for adding accounts as members of groups. |
Account Management |
AC-2 |
AC-2.4 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-000009 |
The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges. |
|
|
|
|
|
|
|
| CCI-000010 |
The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts. |
The organization conducting the inspection/assessment obtains and examines the audit trail of approvals to ensure that the organization being inspected/assessed implements a process for the ISSM or ISSO to approve information system account requests.
DoD has defined the personnel or roles as the ISSM or ISSO. |
The organization being inspected/assessed implements a process for the ISSM or ISSO to approve information system account requests.
The organization being inspected/assessed maintains an audit trail of approvals.
DoD has defined the personnel or roles as the ISSM or ISSO. |
Account Management |
AC-2 |
AC-2.11 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-000011 |
The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions. |
The organization conducting the inspection/assessment obtains and examines the audit trail of account maintenance activities to ensure the organization being inspected/assessed implements account maintenance processes to create, enable, modify, disable, remove, and track information system accounts in accordance with procedures or conditions defined in AC-2, 2121. |
The organization being inspected/assessed implements account maintenance processes to create, enable, modify, disable, and remove information system accounts in accordance with procedures or conditions defined in AC-2, 2121.
The organization being inspected/assessed maintains an audit trail of account maintenance activities. |
Account Management |
AC-2 |
AC-2.13 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-000012 |
The organization reviews information system accounts for compliance with account management requirements per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed implements a process to review information system accounts for compliance with account management requirements at a minimum, annually.
DoD has defined the frequency as at a minimum, annually. |
The organization being inspected/assessed implements a process to review information system accounts for compliance with account management requirements at a minimum, annually.
The organization being inspected/assessed maintains an audit trail of reviews.
DoD has defined the frequency as at a minimum, annually. |
Account Management |
AC-2 |
AC-2.22 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-000013 |
The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes. |
|
|
|
|
|
|
|
| CCI-000014 |
The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions. |
|
|
|
|
|
|
|
| CCI-000015 |
The organization employs automated mechanisms to support the information system account management functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ automated mechanisms to support the information system account management functions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000015. |
The organization being inspected/assessed configures the information system to employ automated mechanisms to support the information system account management functions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000015. |
Account Management | Automated System Account Management |
AC-2 (1) |
AC-2(1).1 |
The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage. |
The organization employs automated mechanisms to support the management of information system accounts. |
| CCI-000016 |
The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically remove or disable temporary accounts after 72 hours.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000016.
DoD has defined the time period as 72 hours. |
The organization being inspected/assessed configures the information system to automatically remove or disable temporary accounts after 72 hours.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000016.
DoD has defined the time period as 72 hours. |
Account Management | Removal Of Temporary / Emergency Accounts |
AC-2 (2) |
AC-2(2).1 |
This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. |
The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| CCI-000017 |
The information system automatically disables inactive accounts after an organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to disable inactive accounts after 35 days.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000017.
DoD has defined the time period as 35 days. |
The organization being inspected/assessed configures the information system to disable inactive accounts after 35 days.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000017.
DoD has defined the time period as 35 days. |
Account Management | Disable Inactive Accounts |
AC-2 (3) |
AC-2(3).1 |
|
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. |
| CCI-000018 |
The information system automatically audits account creation actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account creation actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 18. |
The organization being inspected/assessed configures the information system to automatically audit account creation actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 18. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).1 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-000019 |
The organization requires that users log out in accordance with the organization-defined time period of inactivity or description of when to log out. |
The organization conducting the inspection/assessment obtains and examines the user policies to ensure that users are required to log out at the end of the users standard work period unless otherwise defined in formal organizational policy and IAW conditions defined in AC-2 (5) CCI 2133.
DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. |
The organization being inspected/assessed documents in the user policies that users are required to log out at the end of the users standard work period unless otherwise defined in formal organizational policy and IAW conditions defined in AC-2 (5) CCI 2133.
DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. |
Account Management | Inactivity Logout |
AC-2 (5) |
AC-2(5).2 |
Related control: SC-23. |
The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. |
| CCI-000020 |
The information system dynamically manages user privileges and associated access authorizations. |
|
|
|
|
|
|
|
| CCI-000237 |
The organization manages information system accounts by specifically authorizing and monitoring the use of guest/anonymous accounts and temporary accounts. |
|
|
|
|
|
|
|
| CCI-000208 |
The organization determines normal time-of-day and duration usage for information system accounts. |
|
|
|
|
|
|
|
| CCI-001361 |
The organization defines a time period after which temporary accounts are automatically terminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 72 hours.
The time period of 72 hours applies to temporary user accounts. |
DoD has defined the time period as 72 hours.
The time period of 72 hours applies to temporary user accounts. |
Account Management | Removal Of Temporary / Emergency Accounts |
AC-2 (2) |
AC-2(2).2 |
This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. |
The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| CCI-001365 |
The organization defines a time period after which emergency accounts are automatically terminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as never.
The time period of never applies to emergency admin accounts. |
DoD has defined the time period as never.
The time period of never applies to emergency admin accounts. |
Account Management | Removal Of Temporary / Emergency Accounts |
AC-2 (2) |
AC-2(2).3 |
This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. |
The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| CCI-000217 |
The organization defines a time period after which inactive accounts are automatically disabled. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 35 days. |
DoD has defined the time period as 35 days. |
Account Management | Disable Inactive Accounts |
AC-2 (3) |
AC-2(3).2 |
|
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. |
| CCI-001403 |
The information system automatically audits account modification actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account modification actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1403. |
The organization being inspected/assessed configures the information system to automatically audit account modification actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1403. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).2 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001404 |
The information system automatically audits account disabling actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account disabling actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1404. |
The organization being inspected/assessed configures the information system to automatically audit account disabling actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1404. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).3 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001405 |
The information system automatically audits account removal actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account removal actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1405. |
The organization being inspected/assessed configures the information system to automatically audit account removal actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1405. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).4 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001406 |
The organization defines a time period of expected inactivity when users are required to log out. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. |
DoD has defined the time period as at the end of the users standard work period unless otherwise defined in formal organizational policy. |
Account Management | Inactivity Logout |
AC-2 (5) |
AC-2(5).3 |
Related control: SC-23. |
The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. |
| CCI-001407 |
The organization administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
The organization conducting the inspection/assessment obtains and examines documented processes for privileged user account creation to ensure the organization being inspected/assessed administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
The organization being inspected/assessed documents and implements a process to administer privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
Account Management | Role-Based Schemes |
AC-2 (7) |
AC-2(7).2 |
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| CCI-001354 |
The organization manages information system accounts by deactivating temporary accounts that are no longer required. |
|
|
|
|
|
|
|
| CCI-001355 |
The organization manages information system accounts by deactivating accounts of terminated or transferred users. |
|
|
|
|
|
|
|
| CCI-001356 |
The organization monitors for atypical usage of information system accounts. |
|
|
|
|
|
|
|
| CCI-001357 |
The organization reports atypical usage to designated organizational officials. |
|
|
|
|
|
|
|
| CCI-001358 |
The organization establishes privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
The organization conducting the inspection/assessment obtains and examines documented processes for privileged user account creation to ensure the organization being inspected/assessed establishes privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
The organization being inspected/assessed documents and implements a process to establish privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. |
Account Management | Role-Based Schemes |
AC-2 (7) |
AC-2(7).1 |
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| CCI-001359 |
The organization tracks privileged role assignments. |
|
|
|
|
|
|
|
| CCI-001360 |
The organization monitors privileged role assignments. |
The organization conducting the inspection/assessment obtains and examines the audit trail of monitoring to ensure the organization being inspected/assessed monitors privileged role assignments. |
The organization being inspected/assessed implements a process to monitor privileged role assignments.
The organization must maintain an audit trail of monitoring. |
Account Management | Role-Based Schemes |
AC-2 (7) |
AC-2(7).3 |
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| CCI-001682 |
The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to never automatically remove or disable emergency accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1682.
DoD has defined the time period as never. |
The organization being inspected/assessed configures the information system to never automatically remove or disable emergency accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1682.
DoD has defined the time period as never.
|
Account Management | Removal Of Temporary / Emergency Accounts |
AC-2 (2) |
AC-2(2).4 |
This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. |
The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
| CCI-001683 |
The information system notifies organization-defined personnel or roles for account creation actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account creation actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1683.
DoD has defined the personnel or roles as the system administrator and ISSO. |
The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account creation actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1683.
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).5 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001684 |
The information system notifies organization-defined personnel or roles for account modification actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account modification actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1684.
DoD has defined the personnel or roles as the system administrator and ISSO. |
The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account modification actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1684.
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).6 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001685 |
The information system notifies organization-defined personnel or roles for account disabling actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account disabling actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1685.
DoD has defined the personnel or roles as the system administrator and ISSO. |
The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account disabling actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1685.
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).7 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001686 |
The information system notifies organization-defined personnel or roles for account removal actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account removal actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1686.
DoD has defined the personnel or roles as the system administrator and ISSO. |
The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account removal actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1686.
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).8 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-001548 |
The organization defines the information flow control policies for controlling the flow of information within the system. |
The organization conducting the inspection/assessment obtains and examines the documented information flow control policies to ensure the organization being inspected/assessed defines the information flow control policies for controlling the flow of information within the system.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information flow control policies for controlling the flow of information within the system.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
Information Flow Enforcement |
AC-4 |
AC-4.3 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001549 |
The organization defines the information flow control policies for controlling the flow of information between interconnected systems. |
The organization conducting the inspection/assessment obtains and examines the documented information flow control policies to ensure the organization being inspected/assessed defines the information flow control policies for controlling the flow of information between interconnected systems.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information flow control policies for controlling the flow of information between interconnected systems.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
Information Flow Enforcement |
AC-4 |
AC-4.4 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001550 |
The organization defines approved authorizations for controlling the flow of information within the system. |
The organization conducting the inspection/assessment obtains and examines the documented approved authorizations to ensure the organization being inspected/assessed defines approved authorizations for controlling the flow of information within the system. |
The organization being inspected/assessed defines and documents approved authorizations for controlling the flow of information within the system. |
Information Flow Enforcement |
AC-4 |
AC-4.5 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
The organization conducting the inspection/assessment obtains and examines the documented approved authorizations to ensure the organization being inspected/assessed defines approved authorizations for controlling the flow of information between interconnected systems. |
The organization being inspected/assessed defines and documents approved authorizations for controlling the flow of information between interconnected systems. |
Information Flow Enforcement |
AC-4 |
AC-4.6 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001552 |
The organization defines policy that allows or disallows information flows based on changing conditions or operational considerations. |
|
|
|
|
|
|
|
| CCI-001553 |
The organization defines the security policy filters that privileged administrators have the capability to enable/disable. |
The organization conducting the inspection/assessment obtains and examines the documented security policy filters to ensure the organization being inspected/assessed defines the security policy filters that privileged administrators have the capability to enable/disable.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security policy filters that privileged administrators have the capability to enable/disable.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Enable/Disable Security Policy Filters |
AC-4 (10) |
AC-4(10).2 |
For example, as allowed by the information system authorization, administrators can enable security policy filters to accommodate approved data types. |
The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-001554 |
The organization defines the security policy filters that privileged administrators have the capability to configure. |
The organization conducting the inspection/assessment obtains and examines the documented security policy filters to ensure the organization being inspected/assessed defines the security policy filters that privileged administrators have the capability to configure.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security policy filters that privileged administrators have the capability to configure.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Configuration Of Security Policy Filters |
AC-4 (11) |
AC-4(11).2 |
For example, to reflect changes in security policies, administrators can change the list of “dirty words” that security policy mechanisms check in accordance with the definitions provided by organizations. |
The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies. |
| CCI-001555 |
The information system uniquely identifies destination domains for information transfer. |
|
|
|
|
|
|
|
| CCI-001556 |
The information system uniquely authenticates destination domains for information transfer. |
|
|
|
|
|
|
|
| CCI-001557 |
The information system tracks problems associated with the information transfer. |
|
|
|
|
|
|
|
| CCI-000025 |
The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. |
|
|
|
|
|
|
|
| CCI-000026 |
The information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to use protected processing domains to enforce information flow control policies defined in AC-4 (2), CCI 2191 as a basis for flow control decisions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 000026. |
The organization being inspected/assessed configures the information system to use protected processing domains to enforce information flow control policies defined in AC-4 (2), CCI 2191 as a basis for flow control decisions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 000026. |
Information Flow Enforcement | Processing Domains |
AC-4 (2) |
AC-4(2).1 |
Within information systems, protected processing domains are processing spaces that have controlled interactions with other processing spaces, thus enabling control of information flows between these spaces and to/from data/information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, information system processes are assigned to domains; information is identified by types; and information flows are controlled based on allowed information accesses (determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains. |
The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-000027 |
The information system enforces dynamic information flow control based on organization-defined policies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce dynamic information flow control based on policies defined in AC-4 (3), CCI 2192.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 27. |
The organization being inspected/assessed configures the information system to enforce dynamic information flow control based on policies defined in AC-4 (3), CCI 2192.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 27. |
Information Flow Enforcement | Dynamic Information Flow Control |
AC-4 (3) |
AC-4(3).1 |
Organizational policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include, for example, changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events. Related control: SI-4. |
The information system enforces dynamic information flow control based on [Assignment: organization-defined policies]. |
| CCI-000028 |
The information system prevents encrypted information from bypassing content-checking mechanisms by employing organization-defined procedures or methods. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent encrypted information from bypassing content-checking mechanisms by employing procedures or methods defined in AC-4 (4), CCI 2193.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 28. |
The organization being inspected/assessed configures the information system to prevent encrypted information from bypassing content-checking mechanisms by employing procedures or methods defined in AC-4 (4), CCI 2193.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 28. |
Information Flow Enforcement | Content Check Encrypted Information |
AC-4 (4) |
AC-4(4).1 |
Related control: SI-4. |
The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. |
| CCI-000029 |
The information system enforces organization-defined limitations on the embedding of data types within other data types. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce limitations defined in AC-4 (5), CCI 1415 on the embedding of data types within other data types.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 29. |
The organization being inspected/assessed configures the information system to enforce limitations defined in AC-4 (5), CCI 1415 on the embedding of data types within other data types.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 29. |
Information Flow Enforcement | Embedded Data Types |
AC-4 (5) |
AC-4(5).1 |
Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes, for example, inserting executable files as objects within word processing files, inserting references or descriptive information into a media file, and compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools. |
The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types. |
| CCI-000030 |
The information system enforces information flow control based on organization-defined metadata. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce information flow control based on metadata defined in AC-4 (6), CCI 2194.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 30. |
The organization being inspected/assessed configures the information system to enforce information flow control based on metadata defined in AC-4 (6), CCI 2194.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 30. |
Information Flow Enforcement | Metadata |
AC-4 (6) |
AC-4(6).1 |
Metadata is information used to describe the characteristics of data. Metadata can include structural metadata describing data structures (e.g., data format, syntax, and semantics) or descriptive metadata describing data contents (e.g., age, location, telephone number). Enforcing allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata with regard to data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., ensuring sufficiently strong binding techniques with appropriate levels of assurance). Related controls: AC-16, SI-7. |
The information system enforces information flow control based on [Assignment: organization-defined metadata].
|
| CCI-000031 |
The information system enforces organization-defined one-way flows using hardware mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce one-way flows defined in AC-4 (7), CCI 1416 using hardware mechanisms.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 31. |
The organization being inspected/assessed configures the information system to enforce one-way flows defined in AC-4 (7), CCI 1416 using hardware mechanisms.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 31. |
Information Flow Enforcement | One-Way Flow Mechanisms |
AC-4 (7) |
AC-4(7).1 |
|
The information system enforces [Assignment: organization-defined one-way flows] using hardware mechanisms. |
| CCI-000032 |
The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce information flow control using security policy filters defined in AC-4 (8), CCI 1417 as a basis for flow control decisions for all information flows.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 32.
DoD has defined the information flows as all information flows. |
The organization being inspected/assessed configures the information system to enforce information flow control using security policy filters defined in AC-4 (8), CCI 1417 as a basis for flow control decisions for all information flows.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 32.
DoD has defined the information flows as all information flows. |
Information Flow Enforcement | Security Policy Filters |
AC-4 (8) |
AC-4(8).1 |
Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). |
The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. |
| CCI-000033 |
The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision. |
|
|
|
|
|
|
|
| CCI-000034 |
The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for a privileged administrator to enable/disable security policy filters defined in AC-4 (10), CCI 1553 under conditions defined in AC-4 (10), CCI 2199.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 34. |
The organization being inspected/assessed configures the information system to provide the capability for a privileged administrator to enable/disable security policy filters defined in AC-4 (10), CCI 1553 under conditions defined in AC-4 (10), CCI 2199.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 34. |
Information Flow Enforcement | Enable/Disable Security Policy Filters |
AC-4 (10) |
AC-4(10).1 |
For example, as allowed by the information system authorization, administrators can enable security policy filters to accommodate approved data types. |
The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-000035 |
The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for privileged administrators to configure the security policy filters defined in AC-4 (11), CCI 1554 to support different security policies.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 35. |
The organization being inspected/assessed configures the information system to provide the capability for privileged administrators to configure the security policy filters defined in AC-4 (11), CCI 1554 to support different security policies.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 35. |
Information Flow Enforcement | Configuration Of Security Policy Filters |
AC-4 (11) |
AC-4(11).1 |
For example, to reflect changes in security policies, administrators can change the list of “dirty words” that security policy mechanisms check in accordance with the definitions provided by organizations. |
The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies. |
| CCI-000218 |
The information system, when transferring information between different security domains, identifies information flows by data type specification and usage. |
|
|
|
|
|
|
|
| CCI-000219 |
The information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to decompose information into policy-relevant subcomponents defined in AC-4 (13), CCI 2202 for submission to policy enforcement mechanisms when transferring information between different security domains
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 219. |
The organization being inspected/assessed configures the information system to decompose information into policy-relevant subcomponents defined in AC-4 (13), CCI 2202 for submission to policy enforcement mechanisms when transferring information between different security domains
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 219. |
Information Flow Enforcement | Decomposition Into Policy-Relevant Subcomponents |
AC-4 (13) |
AC-4(13).1 |
Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains. Parsing transfer files facilitates policy decisions on source, destination, certificates, classification, attachments, and other security-related component differentiators. |
The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. |
| CCI-000221 |
The information system enforces security policies regarding information on interconnected systems. |
|
|
|
|
|
|
|
| CCI-000223 |
The information system binds security attributes to information to facilitate information flow policy enforcement. |
|
|
|
|
|
|
|
| CCI-000224 |
The information system tracks problems associated with the security attribute binding. |
|
|
|
|
|
|
|
| CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information between interconnected systems based on information flow control policies defined in AC-4, CCI 1549.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1414. |
The organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information between interconnected systems based on information flow control policies defined in AC-4, CCI 1549.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1414. |
Information Flow Enforcement |
AC-4 |
AC-4.2 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001415 |
The organization defines limitations for the embedding of data types within other data types. |
The organization conducting the inspection/assessment obtains and examines the documented limitations to ensure the organization being inspected/assessed defines the limitations of the embedding of data types within other data types.
DoD has determined the limitations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the limitations of the embedding of data types within other data types.
DoD has determined the limitations are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Embedded Data Types |
AC-4 (5) |
AC-4(5).2 |
Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes, for example, inserting executable files as objects within word processing files, inserting references or descriptive information into a media file, and compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools. |
The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types. |
| CCI-001416 |
The organization defines one-way information flows to be enforced by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented one-way information flows to ensure the organization being inspected/assessed defines one-way information flows to be enforced by the information system.
DoD has determined the one-way information flow is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents one-way information flows to be enforced by the information system.
DoD has determined the one-way information flow is not appropriate to define at the Enterprise level. |
Information Flow Enforcement | One-Way Flow Mechanisms |
AC-4 (7) |
AC-4(7).2 |
|
The information system enforces [Assignment: organization-defined one-way flows] using hardware mechanisms. |
| CCI-001417 |
The organization defines security policy filters to be enforced by the information system and used as a basis for flow control decisions. |
The organization conducting the inspection/assessment obtains and examines the documented security policy filters to ensure the organization being inspected/assessed defines security policy filters to be enforced by the information system and used as a basis for flow control decisions.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security policy filters to be enforced by the information system and used as a basis for flow control decisions.
DoD has determined the security policy filters are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Security Policy Filters |
AC-4 (8) |
AC-4(8).2 |
Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). |
The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. |
| CCI-001418 |
The organization defines security policy filters for which the information system enforces the use of human review. |
|
|
|
|
|
|
|
| CCI-001368 |
The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information within the system based on information flow control policies defined in AC-4, CCI 1548.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1368. |
The organization being inspected/assessed configures the information system to enforce approved authorizations for controlling the flow of information within the system based on information flow control policies defined in AC-4, CCI 1548.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1368. |
Information Flow Enforcement |
AC-4 |
AC-4.1 |
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. |
| CCI-001371 |
The organization defines information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains. |
The organization conducting the inspection/assessment obtains and examines the documented information security policy filters to ensure the organization being inspected/assessed defines. information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains.
DoD has determined the information security policy filters are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Security Policy Filter Constraints |
AC-4 (14) |
AC-4(14).1 |
Data structure and content restrictions reduce the range of potential malicious and/or unsanctioned content in cross-domain transactions. Security policy filters that restrict data structures include, for example, restricting file sizes and field lengths. Data content policy filters include, for example: (i) encoding formats for character sets (e.g., Universal Character Set Transformation Formats, American Standard Code for Information Interchange); (ii) restricting character data fields to only contain alpha-numeric characters; (iii) prohibiting special characters; and (iv) validating schema structures. |
The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content. |
| CCI-001372 |
The information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement security policy filters defined in AC-4 (14), CCI 1371 requiring fully enumerated formats that restrict data structure and content.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1372. |
The organization being inspected/assessed configures the information system to implement security policy filters defined in AC-4 (14), CCI 1371 requiring fully enumerated formats that restrict data structure and content.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1372. |
Information Flow Enforcement | Security Policy Filter Constraints |
AC-4 (14) |
AC-4(14).2 |
Data structure and content restrictions reduce the range of potential malicious and/or unsanctioned content in cross-domain transactions. Security policy filters that restrict data structures include, for example, restricting file sizes and field lengths. Data content policy filters include, for example: (i) encoding formats for character sets (e.g., Universal Character Set Transformation Formats, American Standard Code for Information Interchange); (ii) restricting character data fields to only contain alpha-numeric characters; (iii) prohibiting special characters; and (iv) validating schema structures. |
The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content. |
| CCI-001373 |
The information system, when transferring information between different security domains, examines the information for the presence of organization-defined unsanctioned information. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to examine the information for the presence of unsanctioned information defined in AC-4 (15), CCI 2203 when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1373. |
The organization being inspected/assessed configures the information system to examine the information for the presence of unsanctioned information defined in AC-4 (15), CCI 2203 when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1373. |
Information Flow Enforcement | Detection Of Unsanctioned Information |
AC-4 (15) |
AC-4(15).1 |
Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Related control: SI-3. |
The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]. |
| CCI-001374 |
The information system, when transferring information between different security domains, prohibits the transfer of organization-defined unsanctioned information in accordance with the organization-defined security policy. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit the transfer of unsanctioned information defined in AC-4 (15), CCI 2203 in accordance with the security policy defined in AC-4 (15), CCI 2204.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1374. |
The organization being inspected/assessed configures the information system to prohibit the transfer of unsanctioned information defined in AC-4 (15), CCI 2203 in accordance with the security policy defined in AC-4 (15), CCI 2204.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1374. |
Information Flow Enforcement | Detection Of Unsanctioned Information |
AC-4 (15) |
AC-4(15).2 |
Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Related control: SI-3. |
The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]. |
| CCI-001376 |
The information system uniquely identifies source domains for information transfer. |
|
|
|
|
|
|
|
| CCI-001377 |
The information system uniquely authenticates source domains for information transfer. |
|
|
|
|
|
|
|
| CCI-001558 |
The organization defines the security functions (deployed in hardware, software, and firmware) for which access must be explicitly authorized. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security functions as all functions not publicly accessible. |
DoD has defined the security functions as all functions not publicly accessible. |
Least Privilege | Authorize Access To Security Functions |
AC-6 (1) |
AC-6(1).1 |
Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19. |
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. |
| CCI-000038 |
The organization explicitly authorizes access to organization-defined security functions and security-relevant information. |
|
|
|
|
|
|
|
| CCI-000039 |
The organization requires that users of information system accounts or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires that users of information system accounts or roles, with access to any privileged security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.
DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. |
The organization being inspected/assessed documents and implements a process to require that users of information system accounts or roles, with access to any privileged security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.
DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. |
Least Privilege | Non-Privileged Access For Nonsecurity Functions |
AC-6 (2) |
AC-6(2).1 |
This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Related control: PL-4. |
The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions. |
| CCI-000040 |
The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. |
|
|
|
|
|
|
|
| CCI-000041 |
The organization authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs. |
The organization conducting the inspection/assessment obtains and examines a sampling of network access authorizations to ensure the organization being inspected/assessed authorizes network access to privileged commands defined in AC-6 (3), CCI 1420 only for compelling operational needs defined in AC-6 (3), CCI 2224. |
The organization being inspected/assessed authorizes network access to privileged commands defined in AC-6 (3), CCI 1420 only for compelling operational needs defined in AC-6 (3), CCI 2224. |
Least Privilege | Network Access To Privileged Commands |
AC-6 (3) |
AC-6(3).1 |
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. |
The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. |
| CCI-000042 |
The organization documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented rationale to ensure the organization being inspected/assessed documents the rationale for authorized network access to privileged commands defined in AC-6 (3), CCI 1420 in the security plan for the information system. |
The organization being inspected/assessed documents the rationale for authorized network access to privileged commands defined in AC-6 (3), CCI 1420 in the security plan for the information system. |
Least Privilege | Network Access To Privileged Commands |
AC-6 (3) |
AC-6(3).2 |
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. |
The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. |
| CCI-000225 |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
The organization conducting the inspection/assessment obtains and examines the documented processes to ensure that the organization being inspected/assessed implements the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
The organization being inspected/assessed documents and implements the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
Least Privilege |
AC-6 |
AC-6.1 |
Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2. |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
| CCI-000226 |
The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies. |
|
|
|
|
|
|
|
| CCI-001419 |
The organization defines the security functions or security-relevant information to which users of information system accounts, or roles, have access. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. |
DoD has defined the security functions and security-relevant information as any privileged security functions or security-relevant information. |
Least Privilege | Non-Privileged Access For Nonsecurity Functions |
AC-6 (2) |
AC-6(2).2 |
This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Related control: PL-4. |
The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions. |
| CCI-001420 |
The organization defines the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs. |
The organization conducting the inspection/assessment obtains and examines the documented privileged commands to ensure the organization being inspected/assessed defines the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs.
DoD has determined the privileged commands are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs.
DoD has determined the privileged commands are not appropriate to define at the Enterprise level. |
Least Privilege | Network Access To Privileged Commands |
AC-6 (3) |
AC-6(3).3 |
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. |
The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. |
| CCI-001421 |
The organization limits authorization to super user accounts on the information system to designated system administration personnel. |
|
|
|
|
|
|
|
| CCI-001422 |
The organization prohibits privileged access to the information system by non-organizational users. |
The organization conducting the inspection/assessment obtains and examines the access authorization process as well as a sampling of information system access agreements to ensure that the organization being inspected/assessed prohibits privileged access to the information system by non-organizational users. |
The organization being inspected/assessed implements as a step in the access authorization process, a check to prohibit privileged access to the information system by non-organizational users. |
Least Privilege | Privileged Access By Non-Organizational Users |
AC-6 (6) |
AC-6(6).1 |
Related control: IA-8. |
The organization prohibits privileged access to the information system by non-organizational users. |
| CCI-001559 |
The organization identifies the individuals authorized to change the value of associated security attributes. |
The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies the individuals authorized to change the value of associated security attributes. |
The organization being inspected/assessed identifies and documents the individuals authorized to change the value of associated security attributes. |
Security Attributes | Attribute Value Changes By Authorized Individuals |
AC-16 (2) |
AC-16(2).2 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals. Related controls: AC-6, AU-2. |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes. |
| CCI-001560 |
The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined objects. |
The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies individuals (or processes acting on behalf of individuals) authorized to associate security attributes defined in AC-16 (4), CCI 2288 with objects defined in AC-16 (4), CCI 2287. |
The organization being inspected/assessed identifies and documents individuals (or processes acting on behalf of individuals) authorized to associate security attributes defined in AC-16 (4), CCI 2288 with objects defined in AC-16 (4), CCI 2287. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).1 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-001424 |
The information system dynamically associates security attributes with organization-defined subjects in accordance with organization-defined security policies as information is created and combined. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically associates security attributes with the subjects defined in AC-16 (1), CCI 2274 in accordance with the security policies defined in AC-16 (1), CCI 2273 as information is created and combined.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1424. |
The organization being inspected/assessed configures the information system to dynamically associates security attributes with the subjects defined in AC-16 (1), CCI 2274 in accordance with the security policies defined in AC-16 (1), CCI 2273 as information is created and combined.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1424. |
Security Attributes | Dynamic Attribute Association |
AC-16 (1) |
AC-16(1).1 |
Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. |
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined. |
| CCI-001425 |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1425. |
The organization being inspected/assessed configures the information system to provide authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1425. |
Security Attributes | Attribute Value Changes By Authorized Individuals |
AC-16 (2) |
AC-16(2).1 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals. Related controls: AC-6, AU-2. |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes. |
| CCI-001426 |
The information system maintains the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions. |
|
|
|
|
|
|
|
| CCI-001427 |
The information system allows authorized users to associate security attributes with information. |
|
|
|
|
|
|
|
| CCI-001428 |
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human-readable, standard naming conventions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display security attributes in human readable form on each object that the system transmits to output devices to identify special dissemination, handling, or distribution instructions defined in AC-16 (5), CCI 1429 using human readable, standard naming conventions defined in AC-16 (5), CCI 1430.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1428. |
The organization being inspected/assessed configures the information system to display security attributes in human readable form on each object that the system transmits to output devices to identify special dissemination, handling, or distribution instructions defined in AC-16 (5), CCI 1429 using human readable, standard naming conventions defined in AC-16 (5), CCI 1430.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1428. |
Security Attributes | Attribute Displays For Output Devices |
AC-16 (5) |
AC-16(5).1 |
Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants. |
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]. |
| CCI-001429 |
The organization identifies special dissemination, handling, or distribution instructions for identifying security attributes on output. |
DoD has defined the instructions as for instructions relating to classification, special dissemination, handling, or distribution instructions IAW DODI 5200.1R; for SCI and SAP, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other instructions, not appropriate to define at the Enterprise level.
The organization conducting the inspection/assessment obtains and examines the documented instructions not relating to classification to ensure the organization being inspected/assessed identifies special dissemination, handling, or distribution instructions for identifying security attributes on output. |
DoD has defined the instructions as for instructions relating to classification, special dissemination, handling, or distribution instructions IAW DODI 5200.1R; for SCI and SAP, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other instructions, not appropriate to define at the Enterprise level.
The organization being inspected/assessed defines and documents special dissemination, handling, or distribution instructions not relating to classification, for identifying security attributes on output. |
Security Attributes | Attribute Displays For Output Devices |
AC-16 (5) |
AC-16(5).2 |
Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants. |
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]. |
| CCI-001430 |
The organization identifies human-readable, standard naming conventions for identifying security attributes on output. |
DoD has defined the human readable, standard naming conventions for security attributes relating to classification as human readable, standard naming conventions IAW DODI 5200.1R; for TS SCI, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other security attributes, not appropriate to define at the Enterprise level.
The organization conducting the inspection/assessment obtains and examines the documented security attributes not relating to classification to ensure the organization being inspected/assessed identifies human readable, standard naming conventions for identifying security attributes on output. |
DoD has defined the human readable, standard naming conventions for security attributes relating to classification as human readable, standard naming conventions IAW DODI 5200.1R; for TS SCI, IAW Controlled Access Program Coordination Office (CAPCO) register. For all other security attributes, not appropriate to define at the Enterprise level.
The organization being inspected/assessed defines and documents all other security attributes not relating to classification. |
Security Attributes | Attribute Displays For Output Devices |
AC-16 (5) |
AC-16(5).3 |
Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants. |
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions]. |
| CCI-001396 |
The organization defines security attributes for which the information system supports and maintains the bindings for information in storage. |
|
|
|
|
|
|
|
| CCI-001397 |
The organization defines security attributes for which the information system supports and maintains the bindings for information in process. |
|
|
|
|
|
|
|
| CCI-001398 |
The organization defines security attributes for which the information system supports and maintains the bindings for information in transmission. |
|
|
|
|
|
|
|
| CCI-001399 |
The information system supports and maintains the binding of organization-defined security attributes to information in storage. |
|
|
|
|
|
|
|
| CCI-001400 |
The information system supports and maintains the binding of organization-defined security attributes to information in process. |
|
|
|
|
|
|
|
| CCI-001401 |
The information system supports and maintains the binding of organization-defined security attributes to information in transmission. |
|
|
|
|
|
|
|
| CCI-001561 |
The organization defines managed access control points for remote access to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented managed access points to ensure the organization being inspected/assessed defines managed access control points for remote access to the information system. |
The organization being inspected/assessed defines and documents managed access control points for remote access to the information system. |
Remote Access | Managed Access Control Points |
AC-17 (3) |
AC-17(3).2 |
Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. |
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. |
| CCI-001562 |
The organization defines the appropriate action(s) to be taken if an unauthorized remote connection is discovered. |
|
|
|
|
|
|
|
| CCI-000063 |
The organization defines allowed methods of remote access to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented methods to ensure the organization being inspected/assessed defines allowed methods of remote access to the information system.
DoD has determined the allowed methods of remote access are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the allowed methods of remote access to the information system.
The methods should be defined IAW ports, protocols, and service requirements, as well as access control requirements for any STIGs applicable to the technology in use.
DoD has determined the allowed methods of remote access are not appropriate to define at the Enterprise level. |
Remote Access |
AC-17 |
AC-17.1 |
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections. |
| CCI-000064 |
The organization establishes usage restrictions and implementation guidance for each allowed remote access method. |
|
|
|
|
|
|
|
| CCI-000065 |
The organization authorizes remote access to the information system prior to allowing such connections. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes remote access to the information system prior to allowing such connections. |
The organization being inspected/assessed authorizes remote access to the information system prior to allowing such connections.
The organization must maintain an audit trail of authorizations. |
Remote Access |
AC-17 |
AC-17.5 |
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections. |
| CCI-000066 |
The organization enforces requirements for remote connections to the information system. |
|
|
|
|
|
|
|
| CCI-000067 |
The information system monitors remote access methods. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to monitor remote access methods.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 67. |
The organization being inspected/assessed configures the information system to monitor remote access methods.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 67. |
Remote Access | Automated Monitoring / Control |
AC-17 (1) |
AC-17(1).1 |
Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. |
The information system monitors and controls remote access methods. |
| CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 68. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 68. |
Remote Access | Protection Of Confidentiality / Integrity Using Encryption |
AC-17 (2) |
AC-17(2).1 |
The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. |
| CCI-000069 |
The information system routes all remote accesses through an organization-defined number of managed network access control points. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to route all remote accesses through the number of managed network access control points defined in AC-17 (3), CCI 2315.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 69. |
The organization being inspected/assessed configures the information system to route all remote accesses through the number of managed network access control points defined in AC-17 (3), CCI 2315.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 69. |
Remote Access | Managed Access Control Points |
AC-17 (3) |
AC-17(3).1 |
Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. |
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. |
| CCI-000070 |
The organization authorizes the execution of privileged commands via remote access only for organization-defined needs. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes the execution of privileged commands via remote access only for needs defined in AC-17 (4), CCI 2317. |
The organization being inspected/assessed authorizes the execution of privileged commands via remote access only for needs defined in AC-17 (4), CCI 2317.
The organization being inspected/assessed maintains an audit trail of authorizations. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).1 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-000071 |
The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-000072 |
The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure that the organization being inspected/assessed ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. |
The organization being inspected/assessed implements and documents a process to ensure that users protect information about remote access mechanisms from unauthorized use and disclosure. |
Remote Access | Protection Of Information |
AC-17 (6) |
AC-17(6).1 |
Related controls: AT-2, AT-3, PS-6. |
The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. |
| CCI-000079 |
The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ organization-defined additional security measures. |
|
|
|
|
|
|
|
| CCI-001431 |
The organization defines a frequency for monitoring for unauthorized remote connections to the information system. |
|
|
|
|
|
|
|
| CCI-001432 |
The organization takes appropriate action if an unauthorized remote connection to the information system is discovered. |
|
|
|
|
|
|
|
| CCI-001433 |
The organization defines a list of security functions and security-relevant information that for remote access sessions have organization-defined security measures employed and are audited. |
|
|
|
|
|
|
|
| CCI-001434 |
The organization defines additional security measures to be employed when an organization-defined list of security functions and security-relevant information is accessed remotely. |
|
|
|
|
|
|
|
| CCI-001435 |
The organization defines networking protocols within the information system deemed to be nonsecure. |
|
|
|
|
|
|
|
| CCI-001436 |
The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements. |
|
|
|
|
|
|
|
| CCI-001437 |
The organization documents the rationale for the execution of privileged commands and access to security-relevant information in the security plan for the information system. |
|
|
|
|
|
|
|
| CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of remote access sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1453. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of remote access sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1453. |
Remote Access | Protection Of Confidentiality / Integrity Using Encryption |
AC-17 (2) |
AC-17(2).2 |
The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. |
| CCI-001454 |
The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited. |
|
|
|
|
|
|
|
| CCI-001455 |
The organization explicitly identifies components needed in support of specific operational requirements. |
|
|
|
|
|
|
|
| CCI-001402 |
The organization monitors for unauthorized remote access to the information system. |
|
|
|
|
|
|
|
| CCI-001563 |
The organization defines the appropriate action(s) to be taken if an unauthorized wireless connection is discovered. |
|
|
|
|
|
|
|
| CCI-001438 |
The organization establishes usage restrictions for wireless access. |
The organization conducting the inspection/assessment obtains and examines documented usage restrictions to ensure the organization being inspected/assessed establishes usage restrictions for wireless access. |
The organization being inspected/assessed establishes and documents usage restrictions for wireless access. |
Wireless Access |
AC-18 |
AC-18.1 |
Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. |
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections. |
| CCI-001439 |
The organization establishes implementation guidance for wireless access. |
The organization conducting the inspection/assessment obtains and examines the documented implementation guidance to ensure the organization being inspected/assessed establishes implementation guidance for wireless access. |
The organization being inspected/assessed establishes and documents implementation guidance for wireless access. |
Wireless Access |
AC-18 |
AC-18.2 |
Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. |
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections. |
| CCI-001440 |
The organization monitors for unauthorized wireless access to the information system. |
|
|
|
|
|
|
|
| CCI-001441 |
The organization authorizes wireless access to the information system prior to allowing such connections. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes wireless access to the information system prior to allowing such connections. |
The organization being inspected/assessed authorizes wireless access to the information system prior to allowing such connections.
The organization must maintain an audit trail of authorizations. |
Wireless Access |
AC-18 |
AC-18.4 |
Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. |
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections. |
| CCI-001442 |
The organization enforces requirements for wireless connections to the information system. |
|
|
|
|
|
|
|
| CCI-001443 |
The information system protects wireless access to the system using authentication of users and/or devices. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect wireless access to the system using authentication of users and/or devices.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1443. |
The organization being inspected/assessed configures the information system to protect wireless access to the system using authentication of users and/or devices.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1443. |
Wireless Access | Authentication And Encryption |
AC-18 (1) |
AC-18(1).1 |
Related controls: SC-8, SC-13. |
The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. |
| CCI-001444 |
The information system protects wireless access to the system using encryption. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect wireless access to the system using encryption.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1444. |
The organization being inspected/assessed configures the information system to protect wireless access to the system using encryption.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1444. |
Wireless Access | Authentication And Encryption |
AC-18 (1) |
AC-18(1).2 |
Related controls: SC-8, SC-13. |
The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. |
| CCI-001445 |
The organization monitors for unauthorized wireless connections to the information system on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001446 |
The organization scans for unauthorized wireless access points on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001447 |
The organization defines a frequency of monitoring for unauthorized wireless connections to information system, including scans for unauthorized wireless access points. |
|
|
|
|
|
|
|
| CCI-001448 |
The organization takes appropriate action if an unauthorized wireless connection is discovered. |
|
|
|
|
|
|
|
| CCI-001449 |
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
The organization conducting the inspection/assessment obtains and examines a sampling of information systems to ensure that any internally embedded wireless networking capabilities are disabled unless a documented need exists. |
The organization being inspected/assessed documents and implements a process to disable wireless networking capabilities internally embedded within information system components prior to issuance and deployment when not intended for use. |
Wireless Access | Disable Wireless Networking |
AC-18 (3) |
AC-18(3).1 |
Related control: AC-19. |
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. |
| CCI-001450 |
The organization does not allow users to independently configure wireless networking capabilities. |
|
|
|
|
|
|
|
| CCI-001451 |
The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. |
The organization conducting the inspection/assessment obtains and examines the documentation from radio antenna installation to ensure that the organization being inspected/assessed selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. |
The organization being inspected/assessed documents and implements a process to select radio antennas and calibrate transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. |
Wireless Access | Antennas / Transmission Power Levels |
AC-18 (5) |
AC-18(5).1 |
Actions that may be taken by organizations to limit unauthorized use of wireless communications outside of organization-controlled boundaries include, for example: (i) reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be used by adversaries outside of the physical perimeters of organizations; (ii) employing measures such as TEMPEST to control wireless emanations; and (iii) using directional/beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational information systems as well as other systems that may be operating in the area. Related control: PE-19. |
The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. |
| CCI-001564 |
The organization defines the frequency of security awareness and training policy reviews and updates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropritate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-001565 |
The organization defines the frequency of security awareness and training procedure reviews and updates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000100 |
The organization develops and documents a security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
Comment:
The organization's use of their higher command policy/procedures meets this requirement if more stringent. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
Comment:
DoDD 8570.01 will be updated with DoDD 8140 once signed.
The organization's use of their higher command policy/procedures meets this requirement if more stringent. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000101 |
The organization disseminates a security awareness and training policy to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoD disseminates DoDD 8570.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000102 |
The organization reviews and updates the current security awareness and training policy in accordance with organization-defined frequency. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000103 |
The organization develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoD develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls within DoDD 8570.01. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000104 |
The organization disseminates security awareness and training procedures to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the roles as organizational personnel with security awareness and training responsibilities. |
DoD disseminates DoDD 8570.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the roles as organizational personnel with security awareness and training responsibilities. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-000105 |
The organization reviews and updates the current security awareness and training procedures in accordance with an organization-defined frequency. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the frequency as annually. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the frequency as annually. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-001566 |
The organization provides organization-defined personnel or roles with initial training in the employment and operation of physical security controls. |
The organization conducting the inspection/assessment obtains and examines:
1. Documentation of physical security controls that require training.
2. Documented list of personnel defined in AT-3 (2), CCI 2051
3. Ensures identified personnel have received the initial training. |
The organization being inspected/assessed:
1. Identifies and documents physical security controls that require training.
2. Identifies the personnel defined in AT-3 (2), CCI 2051
3. Ensures designated personnel receive this training.
4. Maintains and monitors records of personnel who have received this training. |
Security Training | Physical Security Controls |
AT-3 (2) |
AT-3(2).1 |
Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
| CCI-001567 |
The organization provides organization-defined personnel or roles with refresher training in the employment and operation of physical security controls in accordance with the organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines:
1. Documentation of physical security controls that require training.
2. Documented list of personnel defined in AT-3 (2), CCI 2051
3. Ensures identified personnel have received training annually.
DoD has defined the frequency as annual. |
The organization being inspected/assessed:
1. Identifies and documents physical security controls that require training.
2. Identifies personnel defined in AT-3 (2), CCI 2051
3. Ensures designated personnel receive this training annually
4. Maintains and monitors records of personnel who have received this training.
DoD has defined the frequency as annual. |
Security Training | Physical Security Controls |
AT-3 (2) |
AT-3(2).2 |
Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
| CCI-001568 |
The organization defines a frequency for providing employees with refresher training in the employment and operation of physical security controls. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annual. |
DoD has defined the frequency as annual. |
Security Training | Physical Security Controls |
AT-3 (2) |
AT-3(2).3 |
Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
| CCI-000108 |
The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT for privileged users is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT for privileged users is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Role-Based Security Training |
AT-3 |
AT-3.1 |
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000109 |
The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes. |
The organization conducting the inspection/assessment obtains and examines documented records (IAW AT-4) of their privileged users training. |
Privileged user type Security-related education/training available through DISA IASE (e.g. VTE, Skill Soft, other professional sources) meets the provision of this control.
The organization being inspected/assessed may define specific requirements within the above listed sources for their personnel. |
Role-Based Security Training |
AT-3 |
AT-3.2 |
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000110 |
The organization provides refresher role-based security training to personnel with assigned security roles and responsibilities in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines documented records (IAW AT-4) of their privileged users training.
|
Privileged user type Security-related education/training available through DISA IASE (e.g. VTE, Skill Soft, other professional sources) meets the provision of this control.
The organization being inspected/assessed may define specific requirements within the above listed sources for their personnel.
|
Role-Based Security Training |
AT-3 |
AT-3.3 |
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000111 |
The organization defines a frequency for providing refresher role-based security training. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Role-Based Security Training |
AT-3 |
AT-3.4 |
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. |
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-001481 |
The organization provides organization-defined personnel or roles with initial training in the employment and operation of environmental controls. |
The organization conducting the inspection/assessment obtains and examines:
1. Documentation of environmental controls that require training.
2. Documented list of personnel defined in AT-3 (1), CCI 2050
3. Ensures identified personnel have received the initial training. |
The organization being inspected/assessed:
1. Identifies and documents environmental controls that require training.
2. Identifies the personnel defined in AT-3 (1), CCI 2050
3. Ensures designated personnel receive this training.
4. Maintains and monitors records of personnel who have received this training. |
Security Training | Environmental Controls |
AT-3 (1) |
AT-3(1).1 |
Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
| CCI-001482 |
The organization provides organization-defined personnel or roles with refresher training in the employment and operation of environmental controls in accordance with the organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines: 1. Documentation of environmental controls that require training.
2. Documented list of personnel defined in AT-3 (1), CCI 2050
3. Ensures identified personnel have received training annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed:
1. Identifies and documents environmental controls that require training.
2. Identifies the personnel defined in AT-3 (1), CCI 2050
3. Ensures designated personnel receive this training annually
4. Maintains and monitors records of personnel who have received this training.
DoD has defined the frequency as annually. |
Security Training | Environmental Controls |
AT-3 (1) |
AT-3(1).2 |
Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
| CCI-001483 |
The organization defines a frequency for providing employees with refresher training in the employment and operation of environmental controls. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annual. |
DoD has defined the frequency as annual. |
Security Training | Environmental Controls |
AT-3 (1) |
AT-3(1).3 |
Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
| CCI-001569 |
The organization defines the frequency on which it will review and update the audit and accountability policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001570 |
The organization defines the frequency on which it will review and update the audit and accountability procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-000117 |
The organization develops and documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability policy to ensure that the audit and accountability policy addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization being inspected/assessed develops and documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-000118 |
The organization disseminates a formal, documented, audit and accountability policy to elements within the organization having associated audit and accountability roles and responsibilities. |
|
|
|
|
|
|
|
| CCI-000119 |
The organization reviews and updates the audit and accountability policy on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the audit and accountability policy annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates the audit and accountability policy annually.
The organization must maintain an audit trail of reviews and updates. Any changes or acceptance of the document without change must be captured in the audit trail.
DoD has defined the frequency as annually. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-000120 |
The organization develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability procedures to ensure that the procedures facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. |
The organization being inspected/assessed develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-000121 |
The organization disseminates formal, documented, procedures to elements within the organization having associated audit and accountability roles and responsibilities. |
|
|
|
|
|
|
|
| CCI-000122 |
The organization reviews and updates the audit and accountability procedures on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the audit and accountability procedures annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates the audit and accountability procedures annually.
The organization must maintain an audit trail of reviews and updates. Any changes or acceptance of the document without change must be captured in the audit trail.
DoD has defined the frequency as annually. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001571 |
The organization defines the information system auditable events. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. |
DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. |
Audit Events |
AU-2 |
AU-2.2 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-000123 |
The organization determines the information system must be capable of auditing an organization-defined list of auditable events. |
The organization conducting the inspection/assessment obtains and examines the documentation of the auditable events to ensure the information system is capable of auditing the:
- successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. Classification levels),
- Successful and unsuccessful logon attempts,
- Privileged activities or other system level access,
- Starting and ending time for user access to the system,
- Concurrent logons from different workstations,
- Successful and unsuccessful accesses to objects,
- All program initiations,
- All direct access to the information system,
- All account creations, modifications, disabling, and terminations,
- All kernel module load, unload, and restart.
DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. |
The organization being inspected/assessed determines whether the information system is capable of auditing:
- successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. Classification levels),
- Successful and unsuccessful logon attempts,
- Privileged activities or other system level access,
- Starting and ending time for user access to the system,
- Concurrent logons from different workstations,
- Successful and unsuccessful accesses to objects,
- All program initiations,
- All direct access to the information system,
- All account creations, modifications, disabling, and terminations,
- All kernel module load, unload, and restart. The organization must document those auditable events that are not captured.
DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g. classification levels). Successful and unsuccessful logon attempts, Privileged activities or other system level access, Starting and ending time for user access to the system, Concurrent logons from different workstations, Successful and unsuccessful accesses to objects, All program initiations, All direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module load, unload, and restart. |
Audit Events |
AU-2 |
AU-2.1 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-000124 |
The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability policy and procedures as well as artifacts of the coordination to determine if coordination is necessary and if necessary, whether it has been performed. |
The organization being inspected/assessed documents and implements within the audit and accountability policy and procedures, a process to coordinate the additional auditable events. The objective is to enhance mutual support and to help guide the selection of auditable events.
The organization must maintain artifacts of the coordination.
|
Audit Events |
AU-2 |
AU-2.3 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-000125 |
The organization provides a rationale for why the list of auditable events is deemed to be adequate to support after-the-fact investigations of security incidents. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability policy and procedures to ensure the organization being inspected/assess has defined the auditable system events, rationale for the selection, and that the organization has defined how the auditable events will support after-action investigations of security events. |
The organization being inspected/assessed documents in the audit and accountability policy the list of auditable system events, the organization provides clearly stated rationale for the selection of each system event. The rationale will support any after-action investigations of security event. |
Audit Events |
AU-2 |
AU-2.4 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-000126 |
The organization determines that the organization-defined subset of the auditable events defined in AU-2 are to be audited within the information system. |
The organization conducting the inspection/assessment reviews the documented audit process as well as audit logs to ensure that the organization being inspected/assessed audits all auditable events defined in AU-2 (a) per occurrence.
DoD has defined the actions as all auditable events defined in AU-2 (a) per occurrence.
|
The organization conducting the inspection/assessment reviews the documented audit process as well as audit logs to ensure that the organization being inspected/assessed audits all auditable events defined in AU-2 (a) per occurrence.
DoD has defined the actions as all auditable events defined in AU-2 (a) per occurrence.
|
Audit Events |
AU-2 |
AU-2.5 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-000127 |
The organization reviews and updates the list of organization-defined audited events on an organization-defined frequency. |
The organization conducting the inspection/assessment reviews the audit trail showing reviews and updates to the list of audited events to ensure that the list is reviewed and updated annually or more frequently upon changes to situational awareness of threats or vulnerabilities.
DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. |
The organization being inspected/assessed will conduct reviews of the list of auditable events as defined in AU-2 (d), CCI 1485 annually or more frequently upon changes to situational awareness of threats or vulnerabilities. The organization will generate and maintain an audit trail to document the completion of the review and update actions.
DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. |
Audit Events | Reviews And Updates |
AU-2 (3) |
AU-2(3).1 |
Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient. |
The organization reviews and updates the audited events [Assignment: organization-defined frequency]. |
| CCI-000128 |
The organization includes execution of privileged functions in the list of events to be audited by the information system. |
|
|
|
|
|
|
|
| CCI-000129 |
The organization defines in the auditable events that the information system must be capable of auditing based on a risk assessment and mission/business needs. |
|
|
|
|
|
|
|
| CCI-001484 |
The organization defines frequency of (or situation requiring) auditing for each identified event. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as all auditable events defined in AU-2 (a) per occurrence. |
DoD has defined the frequency as all auditable events defined in AU-2 (a) per occurrence. |
Audit Events |
AU-2 |
AU-2.6 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-001485 |
The organization defines the events which are to be audited on the information system on an organization-defined frequency of (or situation requiring) auditing for each identified event. |
The organization conducting the inspection/assessment obtains and examines
the documented list of events which are to be audited on the information system to ensure those events have been defined.
DoD has determined that the events are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents events which are to be audited on the information system. Events should be selected from the events the information system is capable of auditing as defined in AU-2 (a) and should be based on ongoing risk assessments of current threat information and environment.
DoD has determined that the events are not appropriate to define at the Enterprise level. |
Audit Events |
AU-2 |
AU-2.7 |
An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. |
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| CCI-001486 |
The organization defines a frequency for reviewing and updating the list of organization-defined auditable events. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. |
DoD has defined the frequency as annually or more frequently upon changes to situational awareness of threats or vulnerabilities. |
Audit Events | Reviews And Updates |
AU-2 (3) |
AU-2(3).2 |
Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient. |
The organization reviews and updates the audited events [Assignment: organization-defined frequency]. |
| CCI-001572 |
The organization defines the personnel or roles to be alerted in the event of an audit processing failure. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles who should be alerted in the event of audit processing failure to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles.
DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the SCA and ISSO, who shall be alerted in the event of audit processing failure. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. |
Response To Audit Processing Failures |
AU-5 |
AU-5.2 |
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. |
| CCI-001573 |
The organization defines whether to reject or delay network traffic that exceeds organization-defined thresholds. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the action to take as delay. |
DoD has defined the action to take as delay. |
Response To Audit Processing Failures | Configurable Traffic Volume Thresholds |
AU-5 (3) |
AU-5(3).2 |
Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds. |
| CCI-001574 |
The information system rejects or delays, as defined by the organization, network traffic which exceed the organization-defined thresholds. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859.
DoD has defined the action to take as delay.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1574. |
The organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859.
DoD has defined the action to take as delay.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1574. |
Response To Audit Processing Failures | Configurable Traffic Volume Thresholds |
AU-5 (3) |
AU-5(3).3 |
Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds. |
| CCI-000139 |
The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to alert at a minimum, the SCA and ISSO in the event of an audit processing failure.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 139.
DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. |
The organization being inspected/assessed configures the information system to alert at a minimum, the SCA and ISSO in the event of an audit processing failure.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 139.
DoD has defined the personnel or roles as at a minimum, the SCA and ISSO. |
Response To Audit Processing Failures |
AU-5 |
AU-5.1 |
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. |
| CCI-000140 |
The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to take actions as defined in AU-5, CCI 1490 upon audit failure.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 140. |
The organization being inspected/assessed configures the information system to take actions as defined in AU-5, CCI 1490 upon audit failure.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 140. |
Response To Audit Processing Failures |
AU-5 |
AU-5.3 |
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. |
| CCI-000143 |
The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. |
|
|
|
|
|
|
|
| CCI-000144 |
The information system provides a real-time alert when organization-defined audit failure events occur. |
|
|
|
|
|
|
|
| CCI-000145 |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity by delaying or rejecting network traffic which exceeds the organization-defined thresholds. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859.
DoD has defined the action to take as delay.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 145. |
The organization being inspected/assessed configures the information system to delay network communications traffic exceeding the thresholds defined in AU-5 (3), CCI 1859.
DoD has defined the action to take as delay.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 145. |
Response To Audit Processing Failures | Configurable Traffic Volume Thresholds |
AU-5 (3) |
AU-5(3).1 |
Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds. |
| CCI-000146 |
The organization defines the percentage of maximum audit record storage capacity that when exceeded, a warning is provided. |
|
|
|
|
|
|
|
| CCI-000147 |
The organization defines the audit failure events requiring real-time alerts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the audit failure events as all. |
DoD has defined the audit failure events as all. |
Response To Audit Processing Failures | Real-Time Alerts |
AU-5 (2) |
AU-5(2).1 |
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). |
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. |
| CCI-001343 |
The information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists. |
|
|
|
|
|
|
|
| CCI-001490 |
The organization defines actions to be taken by the information system upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). |
The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed has defined the actions to be taken by the information system upon audit failure.
DoD has determined that the actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed will define and document actions to be taken by the information system upon audit failure. The organization shall consider trade-offs between the needs for system availability and audit integrity when defining the actions.
Unless availability is an overriding concern, the default action should be to shut down the information system.
DoD has determined that the actions are not appropriate to define at the Enterprise level. |
Response To Audit Processing Failures |
AU-5 |
AU-5.4 |
Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. |
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. |
| CCI-001575 |
The organization defines the system or system component for storing audit records that is a different system or system component than the system or component being audited. |
The organization conducting the inspection/assessment obtains and examines
the information system or media documentation addressing the storage of backups of information system audit records; information system audit records; and any other relevant documents or records.
The purpose of the reviews is to ensure the organization has defined and documented a system or storage media different from the system or media being audited. |
The organization being inspected/assessed defines and documents a system or storage media that will be used to store information system audit data different and separate from the system or media generating the audit data. |
Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components |
AU-9 (2) |
AU-9(2).3 |
This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. |
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited. |
| CCI-000162 |
The information system protects audit information from unauthorized access. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized access to audit information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 162. |
The organization being inspected/assessed configures the information system to disallow unauthorized access to audit information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 162. |
Protection Of Audit Information |
AU-9 |
AU-9.1 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-000163 |
The information system protects audit information from unauthorized modification. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized modification of audit information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 163. |
The organization being inspected/assessed configures the information system to disallow unauthorized modification of audit information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 163. |
Protection Of Audit Information |
AU-9 |
AU-9.2 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-000164 |
The information system protects audit information from unauthorized deletion. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized deletion of audit information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 164. |
The organization being inspected/assessed configures the information system to disallow unauthorized deletion of audit information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 164. |
Protection Of Audit Information |
AU-9 |
AU-9.3 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-000165 |
The information system writes audit records to hardware-enforced, write-once media. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to write audit records to hardware-enforced, write-once media.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 165. |
The organization being inspected/assessed configures the information system to write audit records to hardware-enforced, write-once media.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 165. |
Protection Of Audit Information | Hardware Write-Once Media |
AU-9 (1) |
AU-9(1).1 |
This control enhancement applies to the initial generation of audit trails (i.e., the collection of audit records that represents the audit information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. The enhancement does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes, for example, Compact Disk-Recordable (CD-R) and Digital Video Disk-Recordable (DVD-R). In contrast, the use of switchable write-protection media such as on tape cartridges or Universal Serial Bus (USB) drives results in write-protected, but not write-once, media. Related controls: AU-4, AU-5. |
The information system writes audit trails to hardware-enforced, write-once media. |
| CCI-001348 |
The information system backs up audit records on an organization-defined frequency onto a different system or system component than the system or component being audited. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to back up audit records at least every seven days.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1348.
DoD has defined the frequency as every seven days. |
The organization being inspected/assessed configures the information system to back up audit records at least every seven days.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1348.
DoD has defined the frequency as every seven days. |
Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components |
AU-9 (2) |
AU-9(2).1 |
This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. |
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited. |
| CCI-001349 |
The organization defines a frequency for backing up system audit records onto a different system or system component than the system or component being audited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every seven days. |
DoD has defined the frequency as every seven days. |
Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components |
AU-9 (2) |
AU-9(2).2 |
This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. |
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited. |
| CCI-001350 |
The information system implements cryptographic mechanisms to protect the integrity of audit information. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to implement cryptographic mechanisms to protect the integrity of audit information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1350. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of audit information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1350. |
Protection Of Audit Information | Cryptographic Protection |
AU-9 (3) |
AU-9(3).1 |
Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Related controls: AU-10, SC-12, SC-13. |
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools. |
| CCI-001351 |
The organization authorizes access to management of audit functionality to only an organization-defined subset of privileged users. |
The organization conducting the inspection/assessment obtains and examines the documentation of access authorizations for the management of audit functionality to ensure only the subset of privileged users defined in AU-9 (4), CCI 1894 have been granted access authorization. |
The organization being inspected/assessed authorizes access to the management of audit functionality to only the subset of privileged users defined in AU-9 (4), CCI 1894. |
Protection Of Audit Information | Access By Subset Of Privileged Users |
AU-9 (4) |
AU-9(4).2 |
Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. Related control: AC-5. |
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. |
| CCI-001352 |
The organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions. |
|
|
|
|
|
|
|
| CCI-001493 |
The information system protects audit tools from unauthorized access. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized access to audit tools.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1493. |
The organization being inspected/assessed configures the information system to disallow unauthorized access to audit tools.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1493. |
Protection Of Audit Information |
AU-9 |
AU-9.4 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-001494 |
The information system protects audit tools from unauthorized modification. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized modification of audit tools.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1494. |
The organization being inspected/assessed configures the information system to disallow unauthorized modification of audit tools.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1494. |
Protection Of Audit Information |
AU-9 |
AU-9.5 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-001495 |
The information system protects audit tools from unauthorized deletion. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to disallow unauthorized deletion of audit tools.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1495. |
The organization being inspected/assessed configures the information system to disallow unauthorized deletion of audit tools.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1495. |
Protection Of Audit Information |
AU-9 |
AU-9.6 |
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| CCI-001496 |
The information system implements cryptographic mechanisms to protect the integrity of audit tools. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to implement cryptographic mechanisms to protect the integrity of audit tools.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1496. |
The organization being inspected/assessed configures the information system to implement cryptographic mechanisms to protect the integrity of audit tools.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1496. |
Protection Of Audit Information | Cryptographic Protection |
AU-9 (3) |
AU-9(3).2 |
Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Related controls: AU-10, SC-12, SC-13. |
The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools. |
| CCI-001576 |
The information system produces a system-wide (logical or physical) audit trail of information system audit records. |
|
|
|
|
|
|
|
| CCI-001577 |
The organization defines the information system components from which audit records are to be compiled into the system-wide audit trail. |
The organization conducting the inspection/assessment obtains and examines the system-wide audit trail documentation to ensure the organization being inspected/assessed maintains a current list of information system components.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed will define and document the information system components from which audit records are to be compiled into the system-wide audit trail. The organization will periodically update this list to ensure it is current.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Audit Generation | System-Wide / Time-Correlated Audit Trail |
AU-12 (1) |
AU-12(1).3 |
Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. |
The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. |
| CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
The organization conducting the inspection/assessment examines the information system to ensure that all information system and network components provide audit record generation capability for the auditable events defined in AU-2 a.
DoD has defined the information system components as all information system and network components. |
The organization being inspected/assessed acquires or designs all information system and network components that provide audit record generation capability for the auditable events defined in AU-2 a.
DoD has defined the information system components as all information system and network components. |
Audit Generation |
AU-12 |
AU-12.1 |
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. |
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3. |
| CCI-000171 |
The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. |
The organization conducting the inspection/assessment examines a sampling of information system components and confirms that the individuals capable of selecting auditable events are the ISSM or individuals appointed by the ISSM.
DoD has defined the personnel or roles as the ISSM or individuals appointed by the ISSM. |
The organization being inspected/assessed configures the information system to ensure that only the ISSM or individuals appointed by the ISSM select which auditable events are to be audited by specific components of the information system.
DoD has defined the personnel or roles as the ISSM or individuals appointed by the ISSM. |
Audit Generation |
AU-12 |
AU-12.3 |
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. |
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3. |
| CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
The organization conducting the inspection/assessment examines the information system to ensure that the system generates audit records for the events defined in AU-2 d with the content defined in AU-3.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 172. |
The organization being inspected/assessed configures the information system to generate audit records for the events defined in AU-2 d with the content defined in AU-3.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 172. |
Audit Generation |
AU-12 |
AU-12.5 |
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. |
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3. |
| CCI-000173 |
The organization defines the level of tolerance for relationship between time stamps of individual records in the audit trail that will be used for correlation. |
The organization conducting the inspection/assessment reviews the organization's audit and accountability policy and procedures addressing audit record generation and retention; information system audit configuration settings and associated documentation; information system audit records; and any other relevant documents or records. The objective is to validate the organization has defined and documented its level of tolerance for variation in the time stamps applied to the audit data generated by the organization's information systems.
DoD has determined that the level of tolerance is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed will define and document their level of tolerance for variation in the time stamps applied to the audit data generated by the organization's information systems.
DoD has determined that the level of tolerance is not appropriate to define at the Enterprise level. |
Audit Generation | System-Wide / Time-Correlated Audit Trail |
AU-12 (1) |
AU-12(1).1 |
Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. |
The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. |
| CCI-000174 |
The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail. |
The organization conducting the inspection/assessment examines the information system to ensure the information system is configured to compile audit records from information system components defined in AU-12 (1), CCI 1577 into a system-wide (logical or physical) audit trail that is time-correlated to within the level of tolerance defined in AU-12 (1), CCI-000173 for relationship between time stamps of individual records in the audit trail.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 174. |
The organization being inspected/assessed configures the information system to compile audit records from information system components defined in AU-12 (1), CCI 1577 into a system-wide (logical or physical) audit trail that is time-correlated to within the level of tolerance defined in AU-12 (1), CCI-000173 for relationship between time stamps of individual records in the audit trail.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 174. |
Audit Generation | System-Wide / Time-Correlated Audit Trail |
AU-12 (1) |
AU-12(1).2 |
Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. |
The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. |
| CCI-001459 |
The organization defines information system components that provide audit record generation capability. |
DoD has defined the information system components as all information system and network components. |
DoD has defined the information system components as all information system and network components. |
Audit Generation |
AU-12 |
AU-12.2 |
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. |
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3. |
| CCI-001353 |
The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. |
The organization conducting the inspection/assessment examines the information system to ensure the information system is configured to produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1353. |
The organization being inspected/assessed configures the information system to produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1353. |
Audit Generation | Standardized Formats |
AU-12 (2) |
AU-12(2).1 |
Audit information that is normalized to common standards promotes interoperability and exchange of such information between dissimilar devices and information systems. This facilitates production of event information that can be more readily analyzed and correlated. Standard formats for audit records include, for example, system log records and audit records compliant with Common Event Expressions (CEE). If logging mechanisms within information systems do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails. |
The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. |
| CCI-001578 |
The organization defines the frequency to review and update the current security assessment and authorization procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000238 |
The organization defines the frequency to review and update the current security assessment and authorization policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 5 years. |
DoD has defined the frequency as every 5 years. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000239 |
The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000240 |
The organization disseminates to organization-defined personnel or roles a security assessment and authorization policy. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
DoD disseminates DoDI 8510.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/ins1.html |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000241 |
The organization reviews and updates the current security assessment and authorization policy in accordance with organization-defined frequency. |
DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement for security assessment authorization policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000242 |
The organization develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. |
The organization conducting the inspection/assessment obtains and examines the procedures to ensure the organization being inspected/assessedd evelops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls IAW DoDI 8510.01 |
The organization being inspected/assessed develops and documents, IAW DoDI 8510.01, procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000243 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. |
The organization conducting the inspection/assessment obtains and examines the AUP (Acceptable Use Policy), appointment orders, or written policy requiring that all personnel register at the DTIC website to receive update notifications.
DoD has defined the personnel or roles as all personnel. |
The organization being inspected/assessed will require all personnel to register at the DTIC website to receive update notifications to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls.
DoD has defined the personnel or roles as all personnel.
|
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-000244 |
The organization reviews and updates the current security assessment and authorization procedures in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of review and update activity to ensure the organization being inspected/assessed reviews and updates, IAW DoDI 8510.01, the current security assessment and authorization procedures annually.
|
The organization being inspected/assessed reviews and updates, IAW DoDI 8510.01, the current security assessment and authorization procedures annually.
The organization must maintain an audit trail of review and update activity.
DoD has defined the frequency as annually. |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-001579 |
The organization conducts security control assessments using organization-defined forms of testing in accordance with organization-defined frequency and assessment techniques. |
|
|
|
|
|
|
|
| CCI-000245 |
The organization develops a security assessment plan for the information system and its environment of operation. |
The organization conducting the inspection/assessment obtains and examines the Security Plan to validate *security assessment blocks* are complete. |
The organization being inspected/assessed will document these security assessment plan requirements as part of the DoD approved Security Plan.
Security plan templates are provided through eMASS and the Knowledge Service.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.1 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000246 |
The organization's security assessment plan describes the security controls and control enhancements under assessment. |
The organization conducting the inspection/assessment obtains the security assessment plan to verify the plan identifies the security controls and those control enhancements under assessment. |
The organization being inspected/assessed will ensure the Security Plan identifies the security controls and control enhancements under assessment.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.2 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000247 |
The organization's security assessment plan describes assessment procedures to be used to determine security control effectiveness. |
DoD components are automatically compliant with this CCI if using the implementation guidance and validation procedures on the Knowledge Service.
If the organization being inspected/assessed is using alternative implementation guidance and validation procedures, the organization conducting the inspection/assessment will obtain and examine those procedures. |
The implementation guidance and validation procedures posted on the Knowledge Service constitutes assessment procedures for DoD.
If organizations being inspected/assessed use assessment procedures other than those posted on the Knowledge Service, those procedures must be documented.
*Comment*
The items required within this CCI are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.3 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000248 |
The organization's security assessment plan describes assessment environment. |
The organization conducting the inspection/assessment obtains and examines the organization's authorization boundary.
Authorization boundary can be described via one or more of the following: network diagrams, data flow diagrams, system design documents, or a list of information system components. |
The organization being inspected/assessed will provide a description of the authorization boundary in their Security Plan.
Authorization boundary can be described via one or more of the following: network diagrams, data flow diagrams, system design documents, or a list of information system components.
Authorization boundary as defined in CNSSI 4009.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.4 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000249 |
The organizations security assessment plan describes the assessment team. |
|
|
|
|
|
|
|
| CCI-000250 |
The organization's security assessment plan describes assessment roles and responsibilities. |
|
|
|
|
|
|
|
| CCI-000251 |
The organization assesses, on an organization-defined frequency, the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements. |
See CA-2 c
"The organization conducting the inspection/assessment obtains and examines the security assessment report to verify that it includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls." |
In accordance with DoD's published guidance, the organization being inspected/assessed will utilize the implementation guidance and validation procedures published on the Knowledge Service to evaluate the implementation status of the applicable controls.
DoD has defined the frequency as annually for technical controls, annually for a portion of management and operational controls, such that all are reviewed in a 3 year period, except for those requiring more frequent review as defined in other site or overarching policy. (NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1).
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.6 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000252 |
The organization defines the frequency on which the security controls in the information system and its environment of operation are assessed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually for technical controls, annually for a portion of management and operation controls such that all are reviewed in a 3 year period except for those requiring more frequent review as defined in other site or overarching policy. NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1. |
DoD has defined the frequency as annually for technical controls, annually for a portion of management and operation controls such that all are reviewed in a 3 year period except for those requiring more frequent review as defined in other site or overarching policy. NOTE: Technical, Management and Operational is IAW NIST SP 800-53 Table 1-1.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.7 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000253 |
The organization produces a security assessment report that documents the results of the assessment against the information system and its environment of operation. |
The organization conducting the inspection/assessment obtains and examines the SAR to verify that it includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls. |
The organization being inspected/assessed will develop a SAR that includes the compliance/non-compliance status of all controls and specific deficiencies for all non-compliant controls using the template available on the Knowledge Service.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact. |
Security Assessments |
CA-2 |
CA-2.8 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000254 |
The organization provides the results of the security control assessment against the information system and its environment of operation to organization-defined individuals or roles. |
The organization conducting the inspection/assessment interviews at a minimum, the ISSO and ISSM to ensure the SAR has been received.
DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM.
|
The organization being inspected/assessed will provide the SAR to at a minimum, the ISSO and ISSM.
DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM.
*Comment*
The items required within this control are being split into the security plan and security assessment report to eliminate creation of an additional artifact.
|
Security Assessments |
CA-2 |
CA-2.9 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-000255 |
The organization employs assessors or assessment teams with an organization-defined level of independence to conduct security control assessments of organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the level of independence defined in CA-2 (1), CCI 2064 to ensure that they, as the assessor, meet the required level of independence. |
The organization being inspected/assessed will employ assessors and assessor teams with the level of independence defined in CA-2 (1), CCI 2064 to conduct security control assessments of organizational information systems. |
Security Assessments | Independent Assessors |
CA-2 (1) |
CA-2(1).1 |
Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments. |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments. |
| CCI-000256 |
The organization includes, as part of security control assessments announced or unannounced, one or more of the following: in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; and organization-defined other forms of security assessment on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the test and exercise plan documented in the security assessment plan as well as the results of one or more of the latest security assessments to ensure the organization being inspected/assessed is conducting the assessments required in their security assessment plan annually.
DoD has defined the frequency as annually. |
The organization being assessed/inspected must document how they will annually conduct tests and exercises of the implemented security controls in their security assessment plan. The tests and exercises may consist of activities such as in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; or other forms of security assessment defined in CA-2 (2), CCI 1582.
Vulnerability scans are not the same as penetration testing.
DoD has defined the frequency as annually. |
Security Assessments | Specialized Assessments |
CA-2 (2) |
CA-2(2).1 |
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. |
| CCI-001580 |
The organization identifies connections to external information systems (i.e., information systems outside of the authorization boundary). |
|
|
|
|
|
|
|
| CCI-000257 |
The organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements. |
The organization conducting the inspection/assessment obtains and examines documentation of the Interconnection Security Agreements to include appropriate signatures.
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
The organization being inspected/assessed will develop and certify, by appropriate signatures (e.g. AO, network managers), Interconnection Security Agreements (e.g., MOU, MOA, SLA) authorizing the connection of its information systems to other information systems.
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
System Interconnections |
CA-3 |
CA-3.1 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-000258 |
The organization documents, for each interconnection, the interface characteristics. |
The organization conducting the inspection/assessment obtains and examines interconnection security agreement documentation.
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
The organization being inspected/assessed will document the interface characteristics for each interconnection.
Use of external reporting databases for these characteristics when tied to the specific interconnection is acceptable (e.g., ports, protocols, and services).
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
System Interconnections |
CA-3 |
CA-3.2 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-000259 |
The organization documents, for each interconnection, the security requirements. |
The organization conducting the inspection/assessment obtains and examines interconnection security agreement documentation, specifically looking at any additional security controls identified for
implementation.
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
The organization being inspected/assessed will, for each interconnection, identify and document any additional security controls to be implemented to protect the confidentiality, integrity, and availability of the connected systems and the data passing between them. Controls should be appropriate for the systems to be connected and the environment in which the interconnection will operate.
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
System Interconnections |
CA-3 |
CA-3.3 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-000260 |
The organization documents, for each interconnection, the nature of the information communicated. |
The organization conducting the inspection/assessment obtains and examines the interconnection security agreement documentation, specifically to identify the type of information being transferred/transmitted.
Characteristics will include but are not limited to: classification, information type (e.g. PII, HIPAA, FOUO, financial data, etc.)
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
The organization being inspected/assessed will document in the interconnection security agreement the type of information being transferred/transmitted.
Characteristics will include but are not limited to: classification, information type (e.g. PII, HIPAA, FOUO, financial data, etc.)
Policy Note:
Interconnection security agreements are required for systems connecting between enclaves that require the hosting enclave to enable PPS outside of their already established and approved business practices. Connections can include both DoD enclaves or non DoD enclaves. |
System Interconnections |
CA-3 |
CA-3.4 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-000261 |
The organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements. |
|
|
|
|
|
|
|
| CCI-000262 |
The organization prohibits the direct connection of an organization-defined unclassified, national security system to an external network without the use of an organization-defined boundary protection device. |
The organization conducting the inspection/assessment obtains and examines policy document prohibiting direct connection of all unclassified NSS to external networks without the use of a boundary protection device defined in CA-3 (1), CCI 262.
DoD has defined the unclassified, national security systems as all unclassified NSS. |
The organization being inspected/assessed documents in its policy and procedures addressing information system connections, the organization will prohibit DoD has defined the unclassified, national security systems as all unclassified NSS from having a direct connection to an external network without the use of a boundary protection device defined in CA-3 (1), CCI 262.
DoD has defined the unclassified, national security systems as all unclassified NSS. |
System Interconnections | Unclassified National Security System Connections |
CA-3 (1) |
CA-3(1).1 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. |
| CCI-000263 |
The organization prohibits the direct connection of a classified, national security system to an external network without the use of organization-defined boundary protection device. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams and examines the information system to ensure the organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3 (2), CCI 2074. |
The organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3 (2), CCI 2074. |
System Interconnections | Classified National Security System Connections |
CA-3 (2) |
CA-3(2).1 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface/cross-domain systems) provide information flow enforcement from information systems to external networks. |
The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment; organization-defined boundary protection device]. |
| CCI-001581 |
The organization defines personnel or roles to whom the security status of the organization and the information system should be reported. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.11 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-001582 |
The organization defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; and performance/load testing that should be included as part of security control assessments. |
The organization conducting the inspection/assessment obtains and examines the documented other forms of security assessments to ensure the organization being inspected/assessed defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments.
DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments.
DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. |
Security Assessments | Specialized Assessments |
CA-2 (2) |
CA-2(2).2 |
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. |
| CCI-001583 |
The organization selects announced or unannounced assessments for each form of security control assessment. |
The organization conducting the inspection/assessment obtains and examines the documented list of security control assessment techniques defined in CA-2 (2), CCI 2064 and verifies that the security assessment plan defines whether the assessment is announced or unannounced. |
The organization being inspected/assessed selects and documents whether announced or unannounced assessments are required for each form of security control assessment that was selected as part of CA-2 (2), CCI 2064.
DoD has determined the announced or unannounced nature of the assessments is not appropriate to define at the Enterprise level. |
Security Assessments | Specialized Assessments |
CA-2 (2) |
CA-2(2).3 |
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. |
| CCI-000274 |
The organization develops a continuous monitoring strategy. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.1 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-000275 |
The organization implements a continuous monitoring program that includes a configuration management process for the information system. |
|
|
|
|
|
|
|
| CCI-000276 |
The organization implements a continuous monitoring program that includes a configuration management process for the information system constituent components. |
|
|
|
|
|
|
|
| CCI-000277 |
The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the information system. |
|
|
|
|
|
|
|
| CCI-000278 |
The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the environment of operation. |
|
|
|
|
|
|
|
| CCI-000279 |
The organization implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.5 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-000280 |
The organization implements a continuous monitoring program that includes reporting the security status of the organization and the information system to organization-defined personnel or roles on an organization-defined frequency. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.9 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-000281 |
The organization defines the frequency with which to report the security status of the organization and the information system to organization-defined personnel or roles. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.10 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-000282 |
The organization employs assessors or assessment teams with an organization-defined level of independence to monitor the security controls in the information system on an ongoing basis. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring | Independent Assessment |
CA-7 (1) |
CA-7(1).1 |
Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services. |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis. |
| CCI-000283 |
The organization plans announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures. |
|
|
|
|
|
|
|
| CCI-000284 |
The organization schedules announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures. |
|
|
|
|
|
|
|
| CCI-000285 |
The organization conducts announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures. |
|
|
|
|
|
|
|
| CCI-001681 |
The organization defines the frequency at which each form of security control assessment should be conducted. |
|
|
|
|
|
|
|
| CCI-001584 |
The organization defines the frequency with which to review and update configuration management procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-000286 |
The organization defines a frequency with which to review and update the configuration management policies. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-000287 |
The organization develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization being inspected/assessed develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-000288 |
The organization disseminates formal, documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities. |
|
|
|
|
|
|
|
| CCI-000289 |
The organization reviews and updates, on an organization-defined frequency, the configuration management policy. |
The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the configuration management policy to ensure annual review and necessary updates are occurring.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates, annually, the configuration management policy.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the frequency as annually. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-000290 |
The organization develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
The organization conducting the inspection/assessment obtains and examines the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
The organization being inspected/assessed develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-000291 |
The organization disseminates formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
|
|
|
|
|
|
|
| CCI-000292 |
The organization reviews and updates, on an organization-defined frequency, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls to ensure annual review and necessary updates are occurring.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates, annually, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the frequency as annually. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-001585 |
The organization defines the circumstances that require reviews and updates to the baseline configuration of the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. |
DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).4 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-000293 |
The organization develops a current baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines
the documented baseline configuration. |
The organization being inspected/assessed develops and documents a current baseline configuration of the information system. |
Baseline Configuration |
CM-2 |
CM-2.1 |
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. |
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. |
| CCI-000294 |
The organization documents a baseline configuration of the information system. |
|
|
|
|
|
|
|
| CCI-000295 |
The organization maintains, under configuration control, a current baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines the current baseline to ensure the current configuration matches the current documented baseline. |
The organization being inspected/assessed maintains a current baseline configuration of the information system. |
Baseline Configuration |
CM-2 |
CM-2.2 |
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. |
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. |
| CCI-000296 |
The organization reviews and updates the baseline configuration of the information system at an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration to ensure annual review and necessary updates are occurring.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates the baseline configuration of the information system annually.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the frequency as annually. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).1 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-000297 |
The organization reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances. |
The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration of the information system when required due to baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks to ensure review and necessary updates are occurring.
DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. |
The organization being inspected/assessed reviews and updates the baseline configuration of the information system when required due to baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the circumstances as baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).3 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-000298 |
The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations. |
The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration of the information system as an integral part of information system component installations to ensure review and necessary updates are occurring. |
The organization being inspected/assessed reviews and updates the baseline configuration of the information system as an integral part of information system component installations.
The organization must document each occurrence of the reviews and update actions as an audit trail. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).5 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-000299 |
The organization reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades. |
The organization conducting the inspection/assessment obtains and examines documentation of organizational reviews and update actions for the baseline configuration of the information system as an integral part of information system component upgrades to ensure review and necessary updates are occurring. |
The organization being inspected/assessed reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades.
The organization must document each occurrence of the reviews and update actions as an audit trail. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).6 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-000300 |
The organization employs automated mechanisms to maintain a complete baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain complete baseline configuration of the information system.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain complete baseline configuration of the information system. |
Baseline Configuration | Automation Support For Accuracy / Currency |
CM-2 (2) |
CM-2(2).1 |
Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
| CCI-000301 |
The organization employs automated mechanisms to maintain an up-to-date baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain an up-to-date baseline configuration of the information system.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain an up-to-date baseline configuration of the information system. |
Baseline Configuration | Automation Support For Accuracy / Currency |
CM-2 (2) |
CM-2(2).2 |
Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
| CCI-000302 |
The organization employs automated mechanisms to maintain an accurate baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain accurate baseline configuration of the information system.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain accurate baseline configuration of the information system. |
Baseline Configuration | Automation Support For Accuracy / Currency |
CM-2 (2) |
CM-2(2).3 |
Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
| CCI-000303 |
The organization employs automated mechanisms to maintain a readily available baseline configuration of the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to maintain readily available baseline configuration of the information system.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents, and implements automated mechanisms used to maintain readily available baseline configuration of the information system. |
Baseline Configuration | Automation Support For Accuracy / Currency |
CM-2 (2) |
CM-2(2).4 |
Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. |
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
| CCI-000304 |
The organization retains organization-defined previous versions of baseline configurations of the information system to support rollback. |
The organization conducting the inspection/assessment obtains and examines the documentation of the previous version of the baseline configuration to determine if all IS components necessary for rollback are retained.
DoD has defined the previous versions as the previous approved baseline configuration of IS components for a minimum of 3 months. |
The organization being inspected/assessed retains the previous approved baseline configuration of IS components for a minimum of 3 months and documents baseline configuration to support rollback. The goal is to verify that the IS can roll back components to previous versions.
DoD has defined the previous versions as the previous approved baseline configuration of IS components for a minimum of 3 months. |
Baseline Configuration | Retention Of Previous Configurations |
CM-2 (3) |
CM-2(3).1 |
Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records. |
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. |
| CCI-000305 |
The organization develops a list of software programs not authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000306 |
The organization maintains the list of software programs not authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000307 |
The organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000308 |
The organization develops the list of software programs authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000309 |
The organization maintains the list of software programs authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000310 |
The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system. |
|
|
|
|
|
|
|
| CCI-000311 |
The organization maintains a baseline configuration for information system development environments that is managed separately from the operational baseline configuration. |
The organization conducting the inspection/assessment obtains and examines development environment baseline configuration documentation and ensures the organization is maintaining and managing a baseline configuration for the development environment separate from the operational baseline configuration. |
The organization being inspected/assessed establishes and maintains a development environment baseline configuration managed separately from the operational baseline configuration. |
Baseline Configuration | Development And Test Environments |
CM-2 (6) |
CM-2(6).1 |
Establishing separate baseline configurations for development, testing, and operational environments helps protect information systems from unplanned/unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, management of operational configurations typically emphasizes the need for stability, while management of development/test configurations requires greater flexibility. Configurations in the test environment mirror the configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. This control enhancement requires separate configurations but not necessarily separate physical environments. Related controls: CM-4, SC-3, SC-7. |
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration. |
| CCI-000312 |
The organization maintains a baseline configuration for information system test environments that is managed separately from the operational baseline configuration. |
The organization conducting the inspection/assessment obtains and examines test environment baseline configuration documentation and ensures the organization is maintaining and managing a baseline configuration for the test environment separate from the operational baseline configuration. |
The organization being inspected/assessed establishes and maintains a test environment baseline configuration managed separately from the operational baseline configuration. |
Baseline Configuration | Development And Test Environments |
CM-2 (6) |
CM-2(6).2 |
Establishing separate baseline configurations for development, testing, and operational environments helps protect information systems from unplanned/unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, management of operational configurations typically emphasizes the need for stability, while management of development/test configurations requires greater flexibility. Configurations in the test environment mirror the configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. This control enhancement requires separate configurations but not necessarily separate physical environments. Related controls: CM-4, SC-3, SC-7. |
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration. |
| CCI-001497 |
The organization defines a frequency for the reviews and updates to the baseline configuration of the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Baseline Configuration | Reviews And Updates |
CM-2 (1) |
CM-2(1).2 |
Related control: CM-5. |
The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades. |
| CCI-001586 |
The organization defines the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the configuration change control element as a configuration control board (CCB). |
DoD has defined the configuration change control element as a configuration control board (CCB). |
Configuration Change Control |
CM-3 |
CM-3.12 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000313 |
The organization determines the types of changes to the information system that are configuration controlled. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy and plan to ensure the organization identifies the types of changes to the information system that are configuration controlled. |
The organization being inspected/assessed determines the types of changes to the information system that are to be configuration controlled.
This action will be implemented by the CCB as defined in CM-3, CCI 1586. |
Configuration Change Control |
CM-3 |
CM-3.1 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000314 |
The organization approves or disapproves configuration-controlled changes to the information system, with explicit consideration for security impact analysis. |
The organization conducting the inspection/assessment obtains and examines the audit trail of the approval/disapproval of configuration controlled changes to ensure a security impact analysis was conducted. |
The organization being inspected/assessed approves or disapproves configuration controlled changes to the information system with explicit consideration for security impact analysis.
The organization must maintain an audit trail of approval/disapproval of configuration
controlled changes.
This action will be implemented by the CCB as defined in CM-3, CCI 1586. |
Configuration Change Control |
CM-3 |
CM-3.2 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000315 |
The organization documents approved configuration-controlled changes to the system. |
|
|
|
|
|
|
|
| CCI-000316 |
The organization retains records of configuration-controlled changes to the information system for an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the records of all configuration-controlled changes to the information system to ensure the organization being inspected/assessed retains the records of all configuration controlled changes for a time period defined by the organization's CCB.
DoD has defined the time period as a time period defined by the organization's CCB. |
The organization being inspected/assessed retains records of all configuration-controlled changes to the information system, as a result of CM-3, CCI 1819, for a time period defined by the organization's CCB.
DoD has defined the time period as a time period defined by the organization's CCB. |
Configuration Change Control |
CM-3 |
CM-3.6 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000317 |
The organization reviews records of configuration-controlled changes to the system. |
|
|
|
|
|
|
|
| CCI-000318 |
The organization audits and reviews activities associated with configuration-controlled changes to the system. |
The organization conducting the inspection/assessment obtains and examines the audit trail documenting the review activities associated with configuration-controlled changes to the information system to ensure the organization being inspected/assessed audits and reviews activities associated with the changes. |
The organization being inspected/assessed audits and reviews activities associated with configuration-controlled changes to the information system.
The organization must maintain an audit trail to include review activities associated with configuration-controlled changes. |
Configuration Change Control |
CM-3 |
CM-3.8 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000319 |
The organization coordinates and provides oversight for configuration change control activities through an organization-defined configuration change control element (e.g., committee, board) that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions. |
The organization conducting the inspection/assessment obtains and examines the organization's configuration management policy and plan; document/charter establishing the organization's CCB; meeting minutes; information system change control records; and any other relevant documents or records. The objective of the review is to validate the organization is coordinating and overseeing the configuration change control activities through a CCB. |
The organization being inspected/assessed coordinates and provides oversight for configuration change control activities through a configuration control board (CCB) that convenes at a frequency determined by the CCB and/or for any configuration change conditions determined by the CCB.
DoD has defined the configuration change control element as a configuration control board.
DoD has defined the frequency as at a frequency determined by the CCB.
DoD has defined the configuration change conditions as configuration change conditions determined by the CCB. |
Configuration Change Control |
CM-3 |
CM-3.9 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000320 |
The organization defines the frequency with which to convene the configuration change control element. |
The organization conducting the inspection/assessment obtains and examines the CCB Charter to ensure the frequency for configuration change control review is defined.
DoD has defined the frequency as at a frequency determined by the CCB. |
The organization being inspected/assessed defines within their CCB Charter, the frequency for configuration change control review.
DoD has defined the frequency as at a frequency determined by the CCB. |
Configuration Change Control |
CM-3 |
CM-3.10 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000321 |
The organization defines configuration change conditions that prompt the configuration change control element to convene. |
The organization conducting the inspection/assessment obtains and examines the CCB Charter to ensure the configuration change conditions that prompt the configuration change control element to convene are defined.
DoD has defined the configuration change conditions as configuration change conditions determined by the CCB. |
The organization being inspected/assessed defines within their CCB Charter, the configuration change conditions that prompt the configuration change control element to convene.
DoD has defined the configuration change conditions as configuration change conditions determined by the CCB. |
Configuration Change Control |
CM-3 |
CM-3.11 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-000322 |
The organization employs automated mechanisms to document proposed changes to the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system documents proposed changes.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to document proposed changes to the information system. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).1 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-000323 |
The organization employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system notifies designated approval authorities of proposed changes to the information system and request change approval.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to notify designated approval authorities of proposed changes to the information system and request change approval. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).2 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-000324 |
The organization employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system highlights proposed changes to the information system that have not been approved or disapproved by 7 days.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms.
DoD has defined the time period as 7 days. |
The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to highlight proposed changes to the information system that have not been approved or disapproved by 7 days.
DoD has defined the time period as 7 days. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).4 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-000325 |
The organization employs automated mechanisms to prohibit changes to the information system until designated approvals are received. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system prohibits changes.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs the automated mechanisms to prohibit changes to the information system until designated approvals are received. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).6 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-000326 |
The organization employs automated mechanisms to document all changes to the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system documents all changes.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs the automated mechanisms (e.g., Remedy, ticketing mechanism, etc.) to document all changes to the information system. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).7 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-000327 |
The organization tests changes to the information system before implementing the changes on the operational system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of testing activity to ensure the organization being inspected/assessed tests changes to the information system before implementing the changes on the operational system. |
The organization being inspected/assessed documents and implements a process to test changes to the information system before implementing the changes on the operational system.
The organization must maintain an audit trail of testing activity. |
Configuration Change Control | Test / Validate / Document Changes |
CM-3 (2) |
CM-3(2).1 |
Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). |
The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system. |
| CCI-000328 |
The organization validates changes to the information system before implementing the changes on the operational system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of validation activity to ensure the organization being inspected/assessed validates changes to the information system before implementing the changes on the operational system. |
The organization being inspected/assessed documents and implements a process to validate changes to the information system before implementing the changes on the operational system.
The organization must maintain an audit trail of validation activity. |
Configuration Change Control | Test / Validate / Document Changes |
CM-3 (2) |
CM-3(2).2 |
Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). |
The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system. |
| CCI-000329 |
The organization documents changes to the information system before implementing the changes on the operational system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as documentation of changes to the information system to ensure the organization has established, published, and is complying with the requirement to document all changes to be made to its operational information system(s) prior to their implementation. |
The organization being inspected/assessed documents and implements a process to document changes to the information system before implementing the changes on the operational system. |
Configuration Change Control | Test / Validate / Document Changes |
CM-3 (2) |
CM-3(2).3 |
Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). |
The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system. |
| CCI-000330 |
The organization employs automated mechanisms to implement changes to the current information system baseline. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system implements changes to the current information system baseline.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs the automated mechanisms (e.g., software deployment tools) to implement changes to the current information system baseline. |
Configuration Change Control | Automated Change Implementation |
CM-3 (3) |
CM-3(3).1 |
|
The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base. |
| CCI-000331 |
The organization deploys the updated information system baseline across the installed base. |
The organization conducting the inspection/assessment obtains and examines the documented deployment procedures and a sampling of the audit trail of automated baseline deployments to ensure the organization being inspected/assessed is deploying the updated information system baseline across the installed base. |
The organization being inspected/assessed documents and employs procedures for deploying the updated information system baseline across the installed base.
The information system must maintain an audit trail of automated baseline deployments. |
Configuration Change Control | Automated Change Implementation |
CM-3 (3) |
CM-3(3).2 |
|
The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base. |
| CCI-000332 |
The organization requires an information security representative to be a member of the organization-defined configuration change control element. |
The organization conducting the inspection/assessment obtains and examines the membership list of the organization's configuration control board to ensure an information security representative is a member of the organization's configuration control board. |
The organization being inspected/assessed requires an information security representative to be a member of the configuration control board.
DoD has defined the configuration change control element as the configuration control board. |
Configuration Change Control | Security Representative |
CM-3 (4) |
CM-3(4).1 |
Information security representatives can include, for example, senior agency information security officers, information system security officers, or information system security managers. Representation by personnel with information security expertise is important because changes to information system configurations can have unintended side effects, some of which may be security-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security state of organizational information systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3. |
The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element]. |
| CCI-001498 |
The organization defines a time period after which proposed changes to the information system that have not been approved or disapproved are highlighted. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 7 days. |
DoD has defined the time period as 7 days. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).5 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-001587 |
The organization, when analyzing new software in a separate test environment, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
|
|
|
|
|
|
|
| CCI-000333 |
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. |
The organization conducting the inspection/assessment obtains and examines the records of analyses to ensure the organization is conducting a security impact analysis of changes to the information system(s) prior to their implementation. |
The organization being inspected/assessed analyzes changes to the information system to determine potential security impacts prior to change implementation.
The organization must maintain records of analysis of changes to the information system. |
Security Impact Analysis |
CM-4 |
CM-4.1 |
Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2. |
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. |
| CCI-000334 |
The organization analyzes new software in a separate test environment before installation in an operational environment. |
|
|
|
|
|
|
|
| CCI-000335 |
The organization, after the information system is changed, checks the security functions to verify the functions are implemented correctly. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the verification of security functions to ensure the organization being inspected/assessed verifies in an operational environment, following changes to the information system, the security functions are implemented correctly. |
The organization being inspected/assessed documents and implements a process to verify in an operational environment, following changes to the information system, the security functions are implemented correctly.
The organization must maintain an audit trail of the verification of security functions. |
Security Impact Analysis | Verification Of Security Functions |
CM-4 (2) |
CM-4(2).1 |
Implementation is this context refers to installing changed code in the operational information system. Related control: SA-11. |
The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system. |
| CCI-000336 |
The organization, after the information system is changed, checks the security functions to verify the functions are operating as intended. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the verification of security functions to ensure the organization being inspected/assessed verifies in an operational environment, following changes to the information system, the security functions are operating as intended. |
The organization being inspected/assessed documents and implements a process to verify in an operational environment, following changes to the information system, the security functions are operating as intended.
The organization must maintain an audit trail of the verification of security functions. |
Security Impact Analysis | Verification Of Security Functions |
CM-4 (2) |
CM-4(2).2 |
Implementation is this context refers to installing changed code in the operational information system. Related control: SA-11. |
The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system. |
| CCI-000337 |
The organization, after the information system is changed, checks the security functions to verify the functions are producing the desired outcome with regard to meeting the security requirements for the system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the verification of security functions to ensure the organization being inspected/assessed verifies in an operational environment, following changes to the information system, the security functions are producing the desired outcome with regard to meeting the security requirements for the system. |
The organization being inspected/assessed documents and implements a process to verify in an operational environment, following changes to the information system, the security functions are producing the desired outcome with regard to meeting the security requirements for the system.
The organization must maintain an audit trail of the verification of security functions. |
Security Impact Analysis | Verification Of Security Functions |
CM-4 (2) |
CM-4(2).3 |
Implementation is this context refers to installing changed code in the operational information system. Related control: SA-11. |
The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system. |
| CCI-001588 |
The organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements. |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for ensuring security configuration checklists reflect the most restrictive mode consistent with operational requirements.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for ensuring security configuration checklists reflect the most restrictive mode consistent with operational requirements.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
Configuration Settings |
CM-6 |
CM-6.4 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-001589 |
The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure they are tracked. |
|
|
|
|
|
|
|
| CCI-000363 |
The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed. |
DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.).
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented the configuration guidance which apply to their information system components.
The organization conducting the inspection/assessment reviews the list of documented guidance to ensure that all applicable guidance is identified given the information system components within the authorization boundary. |
DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.).
The organization being inspected/assessed documents in the security plan, the configuration guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) which apply to their information system components. |
Configuration Settings |
CM-6 |
CM-6.1 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000364 |
The organization establishes configuration settings for information technology products employed within the information system using organization-defined security configuration checklists. |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for establishing configuration settings.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for establishing configuration settings.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
Configuration Settings |
CM-6 |
CM-6.2 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000365 |
The organization documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements. |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for documenting configuration settings.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.) meet the DoD requirement for documenting configuration settings.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc.). |
Configuration Settings |
CM-6 |
CM-6.3 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000366 |
The organization implements the security configuration settings. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.).
The organization conducting the inspection/assessment tests a sampling of information system components to ensure they comply with the required settings.
DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.). |
The organization being inspected/assessed must develop and document a process for implementing DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.).
DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc.).
|
Configuration Settings |
CM-6 |
CM-6.5 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000367 |
The organization identifies any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented deviations from configuration settings for information system components. |
The organization being inspected/assessed documents in the security plan and POA&M, if applicable, the information system components as defined in CM-6, CCI 1755 which deviate from configuration settings, and which settings as defined in CM-6, CCI 1756. |
Configuration Settings |
CM-6 |
CM-6.6 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000368 |
The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented deviations from configuration settings for information system components. |
The organization being inspected/assessed documents in the security plan and POA&M, if applicable, all configurable information system components which deviate from configuration settings, and which settings as defined in CM-6, CCI 1756.
DoD has defined the information system components as all configurable information system components. |
Configuration Settings |
CM-6 |
CM-6.7 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000369 |
The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements. |
The organization conducting the inspection/assessment obtains and examines the security plan and the audit trail of approved changes to ensure the deviations are approved IAW CM-3, CCI 314. |
The organization being inspected/assessed manages and approves changes to the security plan documenting deviations IAW CM-3, CCI 314.
The organization must maintain an audit trail of approved changes to the security plan. |
Configuration Settings |
CM-6 |
CM-6.8 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed identifies automated mechanisms to centrally manage configuration settings.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents in the configuration management policy, and implements automated mechanisms to centrally manage configuration settings. |
Configuration Settings | Automated Central Management / Application / Verification |
CM-6 (1) |
CM-6(1).1 |
Related controls: CA-7, CM-4. |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. |
| CCI-000371 |
The organization employs automated mechanisms to centrally apply configuration settings for organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed identifies automated mechanisms to centrally apply configuration settings.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents in the configuration management policy, and implements automated mechanisms to centrally apply configuration settings. |
Configuration Settings | Automated Central Management / Application / Verification |
CM-6 (1) |
CM-6(1).2 |
Related controls: CA-7, CM-4. |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. |
| CCI-000372 |
The organization employs automated mechanisms to centrally verify configuration settings for organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed identifies automated mechanisms to centrally verify configuration settings.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed identifies, documents in the configuration management policy, and implements automated mechanisms to centrally verify configuration settings. |
Configuration Settings | Automated Central Management / Application / Verification |
CM-6 (1) |
CM-6(1).3 |
Related controls: CA-7, CM-4. |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. |
| CCI-000373 |
The organization defines configuration settings for which unauthorized changes are responded to by automated mechanisms. |
|
|
|
|
|
|
|
| CCI-000374 |
The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings. |
|
|
|
|
|
|
|
| CCI-000375 |
The organization incorporates detection of unauthorized, security-relevant configuration changes into the organizations incident response capability. |
|
|
|
|
|
|
|
| CCI-000376 |
The organization ensures unauthorized, security-relevant configuration changes detected are monitored. |
|
|
|
|
|
|
|
| CCI-000377 |
The organization ensures unauthorized, security-relevant configuration changes detected are corrected. |
|
|
|
|
|
|
|
| CCI-000378 |
The organization ensures unauthorized, security-relevant configuration changes detected are available for historical purposes. |
|
|
|
|
|
|
|
| CCI-000379 |
The information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists) prior to being introduced into a production environment. |
|
|
|
|
|
|
|
| CCI-001502 |
The organization monitors changes to the configuration settings in accordance with organizational policies and procedures. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed monitors changes to the configuration settings in accordance with organizational policies and procedures. |
The organization being inspected/assessed develops and documents a process for monitoring changes to the configuration settings in accordance with organizational policies and procedures. |
Configuration Settings |
CM-6 |
CM-6.11 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-001503 |
The organization controls changes to the configuration settings in accordance with organizational policies and procedures. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed controls changes to the configuration settings in accordance with organizational policies and procedures. |
The organization being inspected/assessed develops and documents a process for controlling changes to the configuration settings in accordance with organizational policies and procedures. |
Configuration Settings |
CM-6 |
CM-6.12 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-001590 |
The organization develops a list of software programs authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-001591 |
The organization develops a list of software programs not authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-001592 |
The organization defines the rules authorizing the terms and conditions of software program usage on the information system. |
The organization conducting the inspection/assessment obtains and examines the rules as well as the software list to ensure that all network capable software programs are DoDI 8551 compliant and that the rules authorizing the use of all other programs are defined.
DoD has determined that the rules authorizing the terms and conditions of software program usage on the information system are not appropriate to define at the Enterprise level |
The organization being inspected/assessed defines and documents their rules for approval of software program usage.
For network capable software programs, the organization being inspected/assessed complies with DoDI 8551.
DoD has determined that the rules authorizing the terms and conditions of software program usage on the information system are not appropriate to define at the Enterprise level. |
Least Functionality | Prevent Program Execution |
CM-7 (2) |
CM-7(2).1 |
Related controls: CM-8, PM-5. |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. |
| CCI-001593 |
The organization maintains a list of software programs authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-001594 |
The organization maintains a list of software programs not authorized to execute on the information system. |
|
|
|
|
|
|
|
| CCI-001595 |
The organization maintains rules authorizing the terms and conditions of software program usage on the information system. |
|
|
|
|
|
|
|
| CCI-000380 |
The organization defines prohibited or restricted functions, ports, protocols, and/or services for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. |
DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. |
Least Functionality |
CM-7 |
CM-7.2 |
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. |
| CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has identified essential capabilities. The organization conducting the inspection/assessment inspects the information system to ensure that it provides only those documented essential capabilities. |
The organization being inspected/assessed documents in the security plan, essential capabilities which the information system must provide. The organization being inspected/assessed configures the information system to provide only those documented essential capabilities. |
Least Functionality |
CM-7 |
CM-7.1 |
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. |
| CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |
The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed prohibits or restricts the use of functions, ports, protocols, and/or services IAW DoDI 8551.01.
DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. |
The organization being inspected/assessed configures the information system to prohibit or restrict the use of functions, ports, protocols, and/or services IAW DoDI 8551.01.
DoD has defined the information system prohibited or restricted functions, ports, protocols, and/or services as IAW DoDI 8551.01. |
Least Functionality |
CM-7 |
CM-7.3 |
Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. |
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. |
| CCI-000383 |
The organization defines the frequency of information system reviews to identify and eliminate unnecessary functions, ports, protocols and/or services. |
|
|
|
|
|
|
|
| CCI-000384 |
The organization reviews the information system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, and services. |
The organization conducting the inspection/assessment obtains and examines the documented process and audit trail of reviews to ensure the organization being inspected/assessed reviews the information system every 30 days to identify unnecessary and nonsecure functions, ports, protocols, and services.
DoD has defined the frequency as every 30 days. |
The organization being inspected/assessed documents and implements a process to review the information system every 30 days to identify unnecessary and nonsecure functions, ports, protocols, and services.
The organization must maintain an audit trail of the reviews.
DoD has defined the frequency as every 30 days. |
Least Functionality | Periodic Review |
CM-7 (1) |
CM-7(1).1 |
The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2. |
The organization:
(a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. |
| CCI-000385 |
The organization reviews the information system per organization-defined frequency to eliminate unnecessary functions, ports, protocols, and/or services. |
|
|
|
|
|
|
|
| CCI-000386 |
The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization-defined specifications. |
|
|
|
|
|
|
|
| CCI-000387 |
The organization defines registration requirements for functions, ports, protocols, and services. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the registration requirements as IAW DoDI 8551.01. |
DoD has defined the registration requirements as IAW DoDI 8551.01. |
Least Functionality | Registration Compliance |
CM-7 (3) |
CM-7(3).1 |
Organizations use the registration process to manage, track, and provide oversight for information systems and implemented functions, ports, protocols, and services. |
The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. |
| CCI-000388 |
The organization ensures compliance with organization-defined registration requirements for functions, ports, protocols, and services. |
The organization conducting the inspection/assessment obtains and examines a documented listing of ports, protocols, and services in use, and reviews a sampling of those ports, protocols, and services to ensure the organization being inspected/assessed is compliant with DoDI 8551.01.
DoD has defined the registration requirements as IAW DoDI 8551.01. |
The organization being inspected/assessed implements DoDI 8551.01.
DoD has defined the registration requirements as IAW DoDI 8551.01. |
Least Functionality | Registration Compliance |
CM-7 (3) |
CM-7(3).2 |
Organizations use the registration process to manage, track, and provide oversight for information systems and implemented functions, ports, protocols, and services. |
The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. |
| CCI-001596 |
The organization defines the frequency with which to review and update the current contingency planning procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-001597 |
The organization disseminates contingency planning procedures to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoD disseminates DoDI 8500.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html
NIST disseminates NIST SP 800-34 via
http://csrc.nist.gov/publications/PubsSPs.html |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-001598 |
The organization reviews and updates the current contingency planning procedures in accordance with the organization-defined frequency. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-000437 |
The organization defines the frequency with which to review and update the current contingency planning policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 5 years. |
DoD has defined the frequency as every 5 years. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-000438 |
The organization develops and documents a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-000439 |
The organization disseminates a contingency planning policy to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoD disseminates DoDI 8500.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html
NIST disseminates NIST SP 800-34 via
http://csrc.nist.gov/publications/PubsSPs.html |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-000440 |
The organization reviews and updates the current contingency planning policy in accordance with an organization-defined frequency. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-000441 |
The organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
DoDI 8500.01 and NIST SP 800-34 meet the DoD requirements for contingency planning policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8500.01 and NIST SP 800-34. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-001599 |
The organization sustains operational continuity of essential missions until full information system restoration at primary processing and/or storage sites. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it documents procedures to sustain operational continuity of essential missions until full information system restoration at primary processing and/or storage sites. |
The organization being inspected/assessed develops and documents procedures within the contingency plan to sustain operational continuity of essential missions until full information system restoration at primary processing and/or storage sites. |
Contingency Plan | Continue Essential Missions / Business Functions |
CP-2 (5) |
CP-2(5).3 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
| CCI-001600 |
The organization sustains operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it documents procedures to sustain operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites. |
The organization being inspected/assessed develops and documents procedures within the contingency plan to sustain operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites. |
Contingency Plan | Continue Essential Missions / Business Functions |
CP-2 (5) |
CP-2(5).4 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
| CCI-001601 |
The organization sustains operational continuity of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process for continuation of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
The organization being inspected/assessed documents within their continuity plan a process for continuation of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
Contingency Plan | Alternate Processing / Storage Site |
CP-2 (6) |
CP-2(6).3 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
| CCI-001602 |
The organization sustains operational continuity of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process for continuation of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
The organization being inspected/assessed documents within their continuity plan a process for continuation of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites. |
Contingency Plan | Alternate Processing / Storage Site |
CP-2 (6) |
CP-2(6).4 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
| CCI-000443 |
The organization develops a contingency plan for the information system that identifies essential missions. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents essential missions for its information system(s). |
The organization being inspected/assessed must clearly and accurately document essential missions for its information system(s). Impact of loss of essential mission functions must be defined using CNSSI 1253. |
Contingency Plan |
CP-2 |
CP-2.1 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000444 |
The organization develops a contingency plan for the information system that identifies essential business functions. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents essential business functions for its information system(s). |
The organization being inspected/assessed must clearly and accurately document essential business functions for its information system(s). Impact of loss of essential business functions must be defined using CNSSI 1253. |
Contingency Plan |
CP-2 |
CP-2.2 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000445 |
The organization develops a contingency plan for the information system that identifies associated contingency requirements. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents associated contingency requirements for its information system(s). |
The organization being inspected/assessed must clearly and accurately document associated contingency requirements for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.3 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000446 |
The organization develops a contingency plan for the information system that provides recovery objectives. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents recovery objectives for its information system(s). |
The organization being inspected/assessed must clearly and accurately document recovery objectives for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.4 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000447 |
The organization develops a contingency plan for the information system that provides restoration priorities. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents restoration priorities for its information system(s). |
The organization being inspected/assessed must clearly and accurately document restoration priorities for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.5 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000448 |
The organization develops a contingency plan for the information system that provides metrics. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents metrics for its information system(s). |
The organization being inspected/assessed must clearly and accurately document metrics for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.6 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000449 |
The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents contingency roles, responsibilities, assigned individuals with contact information for its information system(s). |
The organization being inspected/assessed must clearly and accurately document contingency roles, responsibilities, assigned individuals with contact information for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.7 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000450 |
The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system disruption. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system disruption for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining essential missions despite an information system disruption for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.8 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000451 |
The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system disruption. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system disruption for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system disruption for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.9 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000452 |
The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system compromise. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system compromise for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining essential missions despite an information system compromise for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.10 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000453 |
The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system compromise. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system compromise for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system compromise for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.11 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000454 |
The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system failure. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system failure for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining essential missions despite an information system failure for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.12 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000455 |
The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system failure. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining business functions despite an information system failure for its information system(s). |
The organization being inspected/assessed must clearly and accurately document maintaining business functions despite an information system failure for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.13 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000456 |
The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented for its information system(s). |
The organization being inspected/assessed must clearly and accurately document eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented for its information system(s). |
Contingency Plan |
CP-2 |
CP-2.14 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000457 |
The organization develops a contingency plan for the information system that is reviewed and approved by organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the audit trail to ensure the contingency plan has been reviewed and approved by at a minimum, the ISSM and ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
The organization being inspected/assessed reviews and approves the contingency plan by at a minimum, the ISSM and ISSO.
The organization must maintain an audit trail of the review and approval activity.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
Contingency Plan |
CP-2 |
CP-2.15 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000458 |
The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the list as all stakeholders identified in the contingency plan. |
DoD has defined the list as all stakeholders identified in the contingency plan. |
Contingency Plan |
CP-2 |
CP-2.17 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000459 |
The organization distributes copies of the contingency plan to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements. |
The organization conducting the inspection/assessment obtains and examines the contingency plan via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated.
|
The organization being inspected/assessed ensures the contingency plan is disseminated to all stakeholders identified in the contingency plan via an information sharing capibility.
DoD has defined the list as all stakeholders identified in the contingency plan. |
Contingency Plan |
CP-2 |
CP-2.18 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000460 |
The organization coordinates contingency planning activities with incident handling activities. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and the incident response plan (IR-8) to ensure they
do not contradict each other's objectives or result in duplicate efforts/activities. |
The organization being inspected/assessed will coordinate the contingency plan and incident response plan (IR-8) to ensure they
do not contradict each other's objectives or result in duplicate efforts/activities. |
Contingency Plan |
CP-2 |
CP-2.19 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000461 |
The organization defines the frequency with which to review the contingency plan for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Contingency Plan |
CP-2 |
CP-2.20 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000462 |
The organization reviews the contingency plan for the information system in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail to ensure the contingency plan is reviewed annually. |
The organization being inspected/assessed annually reviews the contingency plan.
The organization must maintain an audit trail of annual reviews. |
Contingency Plan |
CP-2 |
CP-2.21 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000463 |
The organization updates the contingency plan to address changes to the organization. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately updates the contingency plan to address organizational changes. |
The organization being inspected/assessed must clearly and accurately update the contingency plan to address organizational changes.
The organization must document the update activities as an audit trail. |
Contingency Plan |
CP-2 |
CP-2.22 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000464 |
The organization updates the contingency plan to address changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately updates the contingency plan to address information system changes. |
The organization being inspected/assessed must clearly and accurately update the contingency plan to address changes to the information system.
The organization must document the update activities as an audit trail. |
Contingency Plan |
CP-2 |
CP-2.23 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000465 |
The organization updates the contingency plan to address changes to the environment of operation. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately revises the contingency plan to address changes to the environment of operation. |
The organization being inspected/assessed must clearly and accurately revise the contingency plan to address changes to the environment of operation.
The organization must document the update activities as an audit trail. |
Contingency Plan |
CP-2 |
CP-2.24 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000466 |
The organization updates the contingency plan to address problems encountered during contingency plan implementation, execution, or testing. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and audit trail to ensure the organization clearly and accurately revises the contingency plan to address problems encountered during contingency plan implementation, execution, or testing. |
The organization being inspected/assessed must clearly and accurately revise the contingency plan to address problems encountered during contingency plan implementation, execution, or testing.
The organization must document the update activities as an audit trail. |
Contingency Plan |
CP-2 |
CP-2.25 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000468 |
The organization communicates contingency plan changes to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements. |
The organization conducting the inspection/assessment examines the contingency plan via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure the most current version has been communicated. |
The organization being inspected/assessed communicates contingency plan changes to all stakeholders identified in the contingency plan.
DoD has defined the list as all stakeholders identified in the contingency plan.
|
Contingency Plan |
CP-2 |
CP-2.26 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-000469 |
The organization coordinates contingency plan development with organizational elements responsible for related plans. |
The organization conducting the inspection/assessment obtains and examines documentation of agreements with entities responsible for the contingency or related plans to ensure there is evidence of coordination of those plans. |
The organization being inspected/assessed coordinates the development of its contingency plan with other organizational elements responsible for related plans.
The organization documents any applicable agreements with responsible internal or external entities. For external entities the agreements could entail MOUs, MOAs, SLAs or contracts. |
Contingency Plan | Coordinate With Related Plans |
CP-2 (1) |
CP-2(1).1 |
Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans. |
The organization coordinates contingency plan development with organizational elements responsible for related plans. |
| CCI-000470 |
The organization conducts capacity planning so that necessary capacity for information processing exists during contingency operations. |
The organization conducting the inspection/assessment obtains and examines the documented capacity planning to ensure
that the organization has performed capacity planning. |
The organization being inspected/assessed must conduct and document capacity planning to ensure that necessary capacity for information processing exists during contingency operations. |
Contingency Plan | Capacity Planning |
CP-2 (2) |
CP-2(2).1 |
Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning. |
The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. |
| CCI-000471 |
The organization conducts capacity planning so that necessary capacity for telecommunications exists during contingency operations. |
The organization conducting the inspection/assessment obtains and examines the documented capacity planning to ensure
that the organization has performed capacity planning. |
The organization being inspected/assessed must conduct and document capacity planning to ensure that necessary capacity for telecommunications exists during contingency operations. |
Contingency Plan | Capacity Planning |
CP-2 (2) |
CP-2(2).2 |
Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning. |
The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. |
| CCI-000472 |
The organization conducts capacity planning so that necessary capacity for environmental support exists during contingency operations. |
The organization conducting the inspection/assessment obtains and examines the documented capacity planning to ensure
that the organization has performed capacity planning. |
The organization being inspected/assessed must conduct and document capacity planning to ensure that necessary capacity for environmental support exists during contingency operations. |
Contingency Plan | Capacity Planning |
CP-2 (2) |
CP-2(2).3 |
Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning. |
The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. |
| CCI-000473 |
The organization defines the time period for planning the resumption of essential missions as a result of contingency plan activation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. |
Contingency Plan | Resume Essential Missions / Business Functions |
CP-2 (3) |
CP-2(3).1 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000474 |
The organization defines the time period for planning the resumption of essential business functions as a result of contingency plan activation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. |
Contingency Plan | Resume Essential Missions / Business Functions |
CP-2 (3) |
CP-2(3).2 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000475 |
The organization plans for the resumption of essential missions within the organization-defined time period of contingency plan activation. |
The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for resumption of essential missions within 1 hour (Availability High)
12 hours (Availability Moderate)
as defined in the contingency plan. |
The organization being inspected/assessed shall document within their contingency plan, procedures for resumption of essential missions within 1 hour (Availability High)
12 hours (Availability Moderate)
as defined in the contingency plan. |
Contingency Plan | Resume Essential Missions / Business Functions |
CP-2 (3) |
CP-2(3).3 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000476 |
The organization plans for the resumption of essential business functions within the organization-defined time period of contingency plan activation. |
The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for resumption of essential business functions within 1 hour (Availability High) 12 hours (Availability Moderate)
as defined in the contingency plan. |
The organization being inspected/assessed shall document within their contingency plan, procedures for resumption of essential business functions within 1 hour (Availability High) 12 hours (Availability Moderate)
as defined in the contingency plan. |
Contingency Plan | Resume Essential Missions / Business Functions |
CP-2 (3) |
CP-2(3).4 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000477 |
The organization defines the time period for planning the resumption of all missions as a result of contingency plan activation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low)
as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low)
as defined in the contingency plan. |
Contingency Plan | Resume All Missions / Business Functions |
CP-2 (4) |
CP-2(4).1 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000478 |
The organization defines the time period for planning the resumption of all business functions as a result of contingency plan activation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low)
as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High ) 1-5 days (Availability Moderate) 5-30 days (Availability Low)
as defined in the contingency plan. |
Contingency Plan | Resume All Missions / Business Functions |
CP-2 (4) |
CP-2(4).2 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000479 |
The organization plans for the resumption of all missions within an organization-defined time period of contingency plan activation. |
The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for full resumption of affected missions within 1 hour (Availability High )
1-5 days (Availability Moderate)
5-30 days (Availability Low)
as defined in the contingency plan. |
The organization being inspected/assessed shall document within their contingency plan, procedures for full resumption of affected missions within 1 hour (Availability High )
1-5 days (Availability Moderate)
5-30 days (Availability Low)
as defined in the contingency plan. |
Contingency Plan | Resume All Missions / Business Functions |
CP-2 (4) |
CP-2(4).3 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000480 |
The organization plans for the resumption of all business functions within an organization-defined time period of contingency plan activation. |
The organization conducting the inspection/assessment obtains the contingency plan to ensure it contains procedures for full resumption of affected business functions within 1 hour (Availability High) 1-5 days (Availability Moderate)
5-30 days (Availability Low)
as defined in the contingency plan. |
The organization being inspected/assessed shall document within their contingency plan, procedures for full resumption of affected business functions within 1 hour (Availability High) 1-5 days (Availability Moderate)
5-30 days (Availability Low)
as defined in the contingency plan. |
Contingency Plan | Resume All Missions / Business Functions |
CP-2 (4) |
CP-2(4).4 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions/business functions may be dependent on the severity/extent of disruptions to the information system and its supporting infrastructure. Related control: PE-12. |
The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
| CCI-000481 |
The organization plans for the continuance of essential missions with little or no loss of operational continuity. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential missions despite an information system disruption for its information system(s). |
The organization being inspected/assessed plans for the continuance of essential missions with little or no loss of operational continuity IAW CP-2a. |
Contingency Plan | Continue Essential Missions / Business Functions |
CP-2 (5) |
CP-2(5).1 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
| CCI-000482 |
The organization plans for the continuance of essential business functions with little or no loss of operational continuity. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it clearly and accurately documents maintaining essential business functions despite an information system disruption for its information system(s). |
The organization being inspected/assessed plans for the continuance of essential business functions with little or no loss of operational continuity IAW CP-2a. |
Contingency Plan | Continue Essential Missions / Business Functions |
CP-2 (5) |
CP-2(5).2 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
| CCI-000483 |
The organization plans for the transfer of essential missions to alternate processing and/or storage sites with little or no loss of operational continuity. |
The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process to transfer essential missions to alternate processing and/or storage sites with little or no loss of operational continuity. |
The organization being inspected/assessed documents within their continuity plan, a process to transfer essential missions to alternate processing and/or storage sites with little or no loss of operational continuity. |
Contingency Plan | Alternate Processing / Storage Site |
CP-2 (6) |
CP-2(6).1 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
| CCI-000484 |
The organization plans for the transfer of essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity. |
The organization conducting the inspection/assessment obtains and examines the continuity plan to ensure the organization being inspected/assessed documents a process to transfer essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity. |
The organization being inspected/assessed documents within their continuity plan, a process to transfer essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity. |
Contingency Plan | Alternate Processing / Storage Site |
CP-2 (6) |
CP-2(6).2 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites). Related control: PE-12. |
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
| CCI-001603 |
The contingency plan identifies the primary storage site hazards. |
|
|
|
|
|
|
|
| CCI-001604 |
The organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented explicit mitigation actions for accessibility problems identified in CP-6 (3), CCI 509 to the alternate storage site in the event of an area-wide disruption or disaster. |
The organization being inspected/assessed must identify and document in the contingency plan explicit mitigation actions for accessibility problems identified in CP-6 (3), CCI 509 to the alternate storage site in the event of an area-wide disruption or disaster. |
Alternate Storage Site | Accessibility |
CP-6 (3) |
CP-6(3).2 |
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted. Related control: RA-3. |
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
| CCI-000505 |
The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to confirm the organization has established an alternate storage site. |
The organization being inspected/assessed establishes an alternate storage site and documents relevant information within the contingency plan. |
Alternate Storage Site |
CP-6 |
CP-6.1 |
Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4. |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. |
| CCI-000506 |
The organization initiates necessary alternate storage site agreements to permit the storage and recovery of information system backup information. |
|
|
|
|
|
|
|
| CCI-000507 |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. |
The organization conducting the inspection/assessment obtains and examines the risk management strategy and the contingency plan to ensure the organization identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same threats identified at the primary site. |
The organization being inspected/assessed identifies and documents within the contingency plan an alternate storage site not susceptible to the same threats that exist at the primary storage site.
The organization must document threats in the risk management strategy IAW PM-9, CCI 000227. |
Alternate Storage Site | Separation From Primary Site |
CP-6 (1) |
CP-6(1).1 |
Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. |
| CCI-000508 |
The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and conducts a walk-through of the alternate storage site to ensure the organization's documented recovery time and recovery point objectives have been met. |
The organization being inspected/assessed configures the alternate storage site to facilitate recovery operations IAW CP-2, CCIs 446 and 447. |
Alternate Storage Site | Recovery Time / Point Objectives |
CP-6 (2) |
CP-6(2).1 |
|
The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. |
| CCI-000509 |
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. |
The organization being inspected/assessed must identify and document in the contingency plan potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster. |
Alternate Storage Site | Accessibility |
CP-6 (3) |
CP-6(3).1 |
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted. Related control: RA-3. |
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
| CCI-001605 |
The contingency plan identifies the primary processing site hazards. |
|
|
|
|
|
|
|
| CCI-001606 |
The organization outlines explicit mitigation actions for organization-identified potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented explicit mitigation actions for accessibility problems identified in CP-7 (2), CCI 517 to the alternate processing site in the event of an area-wide disruption or disaster. |
The organization being inspected/assessed must identify and document in the contingency plan explicit mitigation actions for accessibility problems identified in CP-7 (2), CCI 517 to the alternate processing site in the event of an area-wide disruption or disaster. |
Alternate Processing Site | Accessibility |
CP-7 (2) |
CP-7(2).2 |
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. |
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
| CCI-000510 |
The organization defines the time period consistent with recovery time and recovery point objectives for essential missions/business functions to permit the transfer and resumption of organization-defined information system operations at an alternate processing site when the primary processing capabilities are unavailable. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan |
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Alternate Processing Site |
CP-7 |
CP-7.1 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-000511 |
The organization defines the time period for achieving the recovery time objectives for business functions within which processing must be resumed at the alternate processing site. |
|
|
|
|
|
|
|
| CCI-000512 |
The organization establishes an alternate processing site. |
|
|
|
|
|
|
|
| CCI-000513 |
The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. |
The organization conducting the inspection/assessment obtains and examines the approved alternate processing site agreements to ensure the organization has alternate processing site support that will permit the transfer and resumption of information system operations for essential missions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
The organization being inspected/assessed documents and gains approval for alternate processing site agreements that permit the transfer and resumption of information system operations for essential missions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Alternate Processing Site |
CP-7 |
CP-7.2 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-000514 |
The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. |
The organization conducting the inspection/assessment obtains and examines the approved alternate processing site agreements to ensure the organization has alternate processing site support that will permit the transfer and resumption of information system operations for business functions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
The organization being inspected/assessed documents and gains approval for alternate processing site agreements that permit the transfer and resumption of information system operations for business functions within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Alternate Processing Site |
CP-7 |
CP-7.3 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-000515 |
The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption. |
The organization conducting the inspection/assessment obtains and examines:
1. Inventory of equipment and supplies or,
2. Contract documentation
to ensure the organization has the equipment and supply resources necessary, or provisions to obtain the resources to transfer and resume operations at the alternate processing site within 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
The organization being inspected/assessed maintains an inventory of equipment and supplies required to transfer and resume operations, or engages contract support that meets required timelines to support 1 hour (Availability High) 12 hours (Availability Moderate) as defined in the contingency plan. |
Alternate Processing Site |
CP-7 |
CP-7.5 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-000516 |
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. |
The organization conducting the inspection/assessment obtains and examines the risk management strategy and the contingency plan to ensure the organization identifies an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same threats identified at the primary site. |
The organization being inspected/assessed identifies and documents within the contingency plan an alternate processing site not susceptible to the same threats that exist at the primary processing site.
The organization must document threats in the risk management strategy IAW PM-9, CCI 000227. |
Alternate Processing Site | Separation From Primary Site |
CP-7 (1) |
CP-7(1).1 |
Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. |
The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. |
| CCI-000517 |
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure the organization has documented potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. |
The organization being inspected/assessed must identify and document in the contingency plan potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster. |
Alternate Processing Site | Accessibility |
CP-7 (2) |
CP-7(2).1 |
Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. |
The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
| CCI-000518 |
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organizational availability requirements (including recovery time objectives). |
The organization conducting the inspection/assessment obtains and examines the approved alternate processing site agreements to ensure they contain priority-of-service provisions in accordance with CP-2, CCI 447 for alternate processing site support (including recovery time objectives). |
The organization being inspected/assessed documents and gains approval for alternate processing site agreements that contain priority-of-service provisions in accordance with CP-2, CCI 447 (including recovery time objectives). |
Alternate Processing Site | Priority Of Service |
CP-7 (3) |
CP-7(3).1 |
Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site. |
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organization's availability requirements (including recovery time objectives). |
| CCI-000519 |
The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential missions. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and conducts a walk-through of the alternate processing site to ensure it is ready to be used as the operational site supporting essential missions. |
The organization being inspected/assessed prepares the alternate processing site so that it is ready to be used as the operational site supporting essential missions IAW CP-2, CCI 443. |
Alternate Processing Site | Preparation For Use |
CP-7 (4) |
CP-7(4).1 |
Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place. Related controls: CM-2, CM-6. |
The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. |
| CCI-000520 |
The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential business functions. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and conducts a walk-through of the alternate processing site to ensure it is ready to be used as the operational site supporting business functions. |
The organization being inspected/assessed prepares the alternate processing site so that it is ready to be used as the operational site supporting business functions IAW CP-2, CCI 444. |
Alternate Processing Site | Preparation For Use |
CP-7 (4) |
CP-7(4).2 |
Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place. Related controls: CM-2, CM-6. |
The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. |
| CCI-000521 |
The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
The organization conducting the inspection/assessment obtains and examines the documentation of the primary/alternate site information security safeguards that are in place as well as evidence that the alternate site was approved based on an assessment that security is equivalent at the alternate site. |
The organization being inspected/assessed documents the information security safeguards that are in place at both the primary and alternate sites and evidence that the alternate site was approved based on an assessment that security is equivalent at the alternate site. |
Alternate Processing Site |
CP-7 |
CP-7.6 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-001607 |
The organization establishes alternate telecommunications services to support the information system. |
|
|
|
|
|
|
|
| CCI-001608 |
The organization identifies the primary provider's telecommunications service hazards. |
|
|
|
|
|
|
|
| CCI-000522 |
The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential missions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Telecommunications Services |
CP-8 |
CP-8.1 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-000523 |
The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential business functions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Telecommunications Services |
CP-8 |
CP-8.2 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-000524 |
The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization conducting the inspection/assessment obtains and examines the approved alternate telecommunications service agreements to ensure they permit the resumption of telecommunications services for essential mission IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
The organization being inspected/assessed documents and gains approval for alternate telecommunications service agreements that permit the resumption of telecommunications services for essential missions IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Telecommunications Services |
CP-8 |
CP-8.3 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-000525 |
The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential business functions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization conducting the inspection/assessment obtains and examines the approved alternate telecommunications service agreements to ensure they permit the resumption of telecommunications services for business functions IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
The organization being inspected/assessed documents and gains approval for alternate telecommunications service agreements that permit the resumption of telecommunications services for business functions IAW DoDI 8100.04. DoD has defined the time period as 1 hour (Availability High ) 12 hours (Availability Moderate) as defined in the contingency plan. |
Telecommunications Services |
CP-8 |
CP-8.4 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-000526 |
The organization develops primary telecommunications service agreements that contain priority-of-service provisions in accordance with the organization^s availability requirements (including recovery time objectives). |
The organization conducting the inspection/assessment obtains and examines the approved primary telecommunications service agreements to ensure they contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). |
The organization being inspected/assessed documents and gains approval for primary telecommunications service agreements that contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). |
Telecommunications Services | Priority Of Service Provisions |
CP-8 (1) |
CP-8(1).1 |
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. |
The organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. |
| CCI-000527 |
The organization develops alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization^s availability requirements (including recovery time objectives). |
The organization conducting the inspection/assessment obtains and examines the approved alternate telecommunications service agreements to ensure they contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). |
The organization being inspected/assessed documents and gains approval for alternate telecommunications service agreements that contain priority-of-service provisions IAW DoDI 8100.04 (including recovery time objectives). |
Telecommunications Services | Priority Of Service Provisions |
CP-8 (1) |
CP-8(1).2 |
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. |
The organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. |
| CCI-000528 |
The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary telecommunications services are provided by a common carrier. |
The organization conducting the inspection/assessment obtains and examines the contingency plan, the telecommunication service agreement, and any existing formal requests for Telecommunications Service Priority.
The purpose of the review is to ensure the organization or the mid-tier provider has requested Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness where the primary telecommunications services are provided by a common carrier.
|
The organization being inspected/assessed identifies and documents within the contingency plan any telecommunications services used for national security emergency preparedness. If the primary telecommunications services are provided by a common carrier, the organization formally requests Telecommunications Service Priority IAW the DHS Telecommunications Service Priority Process http://www.dhs.gov/telecommunications-service-priority-tsp. If the primary telecommunications services are provided by a mid-tier provider instead of a common carrier (for example, DISA) the organization must insure that their provider formally requests Telecommunications Service Priority on their behalf.
|
Telecommunications Services | Priority Of Service Provisions |
CP-8 (1) |
CP-8(1).3 |
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. |
The organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. |
| CCI-000529 |
The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the alternate telecommunications services are provided by a common carrier. |
The organization conducting the inspection/assessment obtains and examines the contingency plan, the telecommunication service agreement, and any existing formal requests for Telecommunications Service Priority.
The purpose of the review is to ensure the organization has requested Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event the alternate telecommunications services are provided by a common carrier. |
The organization being inspected/assessed identifies and documents within the contingency plan telecommunications services used for national security emergency preparedness in the event the alternate telecommunications services are provided by a common carrier. For each service, the organization formally requests Telecommunications Service Priority, IAW the DHS Telecommunications Service Priority Process http://tsp.ncs.gov/request.html. |
Telecommunications Services | Priority Of Service Provisions |
CP-8 (1) |
CP-8(1).4 |
Organizations consider the potential mission/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions. |
The organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and
(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. |
| CCI-000530 |
The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. |
The organization conducting the inspection/assessment obtains and examines agreements with their service providers to ensure that a single point of failure is not shared. |
The organization being inspected/assessed obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services IAW DoDI 8100.04. |
Telecommunications Services | Single Points Of Failure |
CP-8 (2) |
CP-8(2).1 |
|
The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. |
| CCI-000531 |
The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. |
The organization conducting the inspection/assessment obtains and examines agreements with alternate service providers to ensure they are not susceptible to the same hazards as the primary service provider. |
The organization being inspected/assessed obtains alternate telecommunications services from providers that are separated from primary service providers so as not to be susceptible to the same hazards IAW DoDI 8100.04. |
Telecommunications Services | Separation Of Primary / Alternate Providers |
CP-8 (3) |
CP-8(3).1 |
Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber/physical attacks, and errors of omission/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment. |
The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. |
| CCI-000532 |
The organization requires primary telecommunications service providers to have contingency plans. |
The organization conducting the inspection/assessment obtains and examines the primary telecommunications service provider agreements to ensure the organization requires the primary service provider to have contingency plans. |
The organization being inspected/assessed includes in their primary telecommunications service provider agreements requirements for the primary service provider to have contingency plans. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).1 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-000533 |
The organization requires alternate telecommunications service providers to have contingency plans. |
The organization conducting the inspection/assessment obtains and examines the alternate telecommunications service provider agreements to ensure the organization requires the alternate service provider to have contingency plans. |
The organization being inspected/assessed includes in their alternate telecommunications service provider agreements requirements for the alternate service provider to have contingency plans. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).2 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-001609 |
The organization can activate the redundant secondary information system that is not collocated with the primary system without loss of information or disruption to operations. |
The organization conducting the inspection/assessment determines if the organization has established a service level agreement for a redundant secondary system support that is not co-located with the primary system, and has configured the system so it can be activated to accomplish system backups without a loss of information or operational disruption. |
The organization being inspected/assessed establishes a service level agreement which will provide for redundant secondary system support that is not co-located with the primary system, and has configured the system so that it can be activated to accomplish system backups without a loss of information or operational disruption. |
Information System Backup | Redundant Secondary System |
CP-9 (6) |
CP-9(6).2 |
Related controls: CP-7, CP-10. |
The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. |
| CCI-000534 |
The organization defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least weekly as defined in the contingency plan. |
DoD has defined the frequency as at least weekly as defined in the contingency plan. |
Information System Backup |
CP-9 |
CP-9.1 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000535 |
The organization conducts backups of user-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. |
The organization conducting the inspection/assessment obtains and reviews the backup strategy, and examines a sample of systems to ensure they are configured to perform back ups at least weekly as defined in the contingency plan. |
The organization being inspected/assessed must identify user level information within the backup strategy and configure the system to perform backups at least weekly as defined in the contingency plan. |
Information System Backup |
CP-9 |
CP-9.2 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000536 |
The organization defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. |
DoD has defined the frequency as at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. |
Information System Backup |
CP-9 |
CP-9.3 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000537 |
The organization conducts backups of system-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives. |
The organization conducting the inspection/assessment obtains and reviews the backup strategy, and examines a sample of systems to ensure they are configured to perform back ups at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. |
The organization being inspected/assessed must identify system-level information within the backup strategy and configure the system to perform backups at least weekly and as required by system baseline configuration changes in accordance with the contingency plan. |
Information System Backup |
CP-9 |
CP-9.4 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000538 |
The organization defines the frequency of conducting information system documentation backups, including security-related documentation, to support recovery time objectives and recovery point objectives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan. |
DoD has defined the frequency as when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan. |
Information System Backup |
CP-9 |
CP-9.5 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000539 |
The organization conducts backups of information system documentation, including security-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives. |
The organization conducting the inspection/assessment obtains and examines the latest version of the information system documentation including security-related documentation to verify it is the same version as contained in backups. |
The organization being inspected/assessed conducts backups of information system documentation including security-related documentation when created or received, when updated, and as required by system baseline configuration changes in accordance with the contingency plan. |
Information System Backup |
CP-9 |
CP-9.6 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000540 |
The organization protects the confidentiality, integrity, and availability of backup information at storage locations. |
The organization conducting the inspection/assessment obtains and examines the system security plan and ensures backup information at the storage location is protected IAW the system security plan. |
The organization being inspected/assessed will protect the confidentiality, integrity, and availability of backup information at the storage location IAW the system security plan. |
Information System Backup |
CP-9 |
CP-9.7 |
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13. |
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CCI-000541 |
The organization defines the frequency with which to test backup information to verify media reliability and information integrity. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least monthly in accordance with contingency plan. |
DoD has defined the frequency as at least monthly in accordance with contingency plan. |
Information System Backup | Testing For Reliability / Integrity |
CP-9 (1) |
CP-9(1).1 |
Related control: CP-4. |
The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. |
| CCI-000542 |
The organization tests backup information per an organization-defined frequency to verify media reliability and information integrity. |
The organization conducting the inspection/assessment obtains and examines the backup plan and verifies that the organization has tested and logged backup information. |
The organization being inspected/assessed tests and logs backup information at least monthly in accordance with contingency plan to verify media reliability and information integrity. |
Information System Backup | Testing For Reliability / Integrity |
CP-9 (1) |
CP-9(1).2 |
Related control: CP-4. |
The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. |
| CCI-000543 |
The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. |
The organization conducting the inspection/assessment obtains and examines the contingency plan test results to verify that the sample of backup information was restored as part of the restoration of selected information system functions. |
The organization being inspected/assessed restores a sample of backup information as part of the restoration of selected information system functions during contingency plan testing.
Organizations must identify a sample of backup information in the contingency plan test results. |
Information System Backup | Test Restoration Using Sampling |
CP-9 (2) |
CP-9(2).1 |
Related control: CP-4. |
The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. |
| CCI-000544 |
The organization stores backup copies of the operating system in a separate facility or in a fire-rated container that is not colocated with the operational system. |
|
|
|
|
|
|
|
| CCI-000545 |
The organization stores backup copies of critical information system software in a separate facility or in a fire-rated container that is not colocated with the operational system. |
|
|
|
|
|
|
|
| CCI-000546 |
The organization stores backup copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not colocated with the operational system. |
|
|
|
|
|
|
|
| CCI-000547 |
The organization defines the time period and transfer rate of the information system backup information to the alternate storage site consistent with the recovery time and recovery point objectives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as Continuously (Availability High )
24 hours (Availability Moderate)
7 days (Availability Low)
as defined in the contingency plan. |
DoD has defined the time period as Continuously (Availability High )
24 hours (Availability Moderate)
7 days (Availability Low)
as defined in the contingency plan. |
Information System Backup | Transfer To Alternate Storage Site |
CP-9 (5) |
CP-9(5).1 |
Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media. |
The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. |
| CCI-000548 |
The organization transfers information system backup information to the alternate storage site in accordance with the organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives. |
The organization conducting the inspection/assessment obtains and examines the contingency plan and related logs to ensure the organization transfers information system backup information to the alternate site Continuously (Availability High) 24 hours (Availability Moderate) 7 days (Availability Low) as defined in the contingency plan. |
The organization being inspected/assessed performs the transfer of information system backup information to the alternate site Continuously (Availability High)
24 hours (Availability Moderate)
7 days (Availability Low) as defined in the contingency plan. |
Information System Backup | Transfer To Alternate Storage Site |
CP-9 (5) |
CP-9(5).2 |
Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media. |
The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. |
| CCI-000549 |
The organization maintains a redundant secondary information system that is not collocated with the primary system. |
The organization conducting the inspection/assessment determines if the organization is maintaining a redundant, secondary backup system that is not co-located with the primary system. |
The organization being inspected/assessed establishes and maintains a redundant, secondary backup system that is not co-located with the primary system. |
Information System Backup | Redundant Secondary System |
CP-9 (6) |
CP-9(6).1 |
Related controls: CP-7, CP-10. |
The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. |
| CCI-001610 |
The organization defines the time period (by authenticator type) for changing/refreshing authenticators. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
Authenticator Management |
IA-5 |
IA-5.17 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001611 |
The organization defines the minimum number of special characters for password complexity enforcement. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum number of special characters for password complexity enforcement as one special character. |
DoD has defined the minimum number of special characters for password complexity enforcement as one special character. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).5 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001612 |
The organization defines the minimum number of upper case characters for password complexity enforcement. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum number of upper case characters for password complexity enforcement as one upper-case character. |
DoD has defined the minimum number of upper case characters for password complexity enforcement as one upper-case character. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).6 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001613 |
The organization defines the minimum number of lower case characters for password complexity enforcement. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum number of lower case characters for password complexity enforcement as one lower-case character. |
DoD has defined the minimum number of lower case characters for password complexity enforcement as one lower-case character. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).7 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001614 |
The organization defines the minimum number of numeric characters for password complexity enforcement. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum number of numeric characters for password complexity enforcement as one numeric character. |
DoD has defined the minimum number of numeric characters for password complexity enforcement as one numeric character. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).8 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001615 |
The organization defines the minimum number of characters that are changed when new passwords are created. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum number of characters as 50% of the minimum password length. |
DoD has defined the minimum number of characters as 50% of the minimum password length. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).11 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001616 |
The organization defines minimum password lifetime restrictions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the minimum password lifetime restrictions as 24 hours. |
DoD has defined the minimum password lifetime restrictions as 24 hours. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).16 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001617 |
The organization defines maximum password lifetime restrictions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the maximum password lifetime restrictions as 60 days. |
DoD has defined the maximum password lifetime restrictions as 60 days. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).17 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001618 |
The organization defines the number of generations for which password reuse is prohibited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the number of generations as a minimum of 5. |
DoD has defined the number of generations as a minimum of 5. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).19 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of special characters used.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1619. |
The organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of special characters used.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1619. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).9 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001620 |
The organization defines the types of and/or specific authenticators for which the registration process must be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor). |
|
|
|
|
|
|
|
| CCI-001621 |
The organization implements organization-defined security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems. |
The organization conducting the inspection/assessment obtains and examines the documented policies as well as training records to ensure that the organization being inspected/assessed implements policies and training advising users not to use the same password for any of the following:
Domains of differing classification levels.
More than one domain of a classification level (e.g., internal agency network and Intelink).
More than one privilege level (e.g., user, administrator). |
The organization being inspected/assessed documents and implements policies and user training including advising users not to use the same password for any of the following:
Domains of differing classification levels.
More than one domain of a classification level (e.g., internal agency network and Intelink).
More than one privilege level (e.g., user, administrator). |
Authenticator Management | Multiple Information System Accounts |
IA-5 (8) |
IA-5(8).2 |
When individuals have accounts on multiple information systems, there is the risk that the compromise of one account may lead to the compromise of other accounts if individuals use the same authenticators. Possible alternatives include, for example: (i) having different authenticators on all systems; (ii) employing some form of single sign-on mechanism; or (iii) including some form of one-time passwords on all systems. |
The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems. |
| CCI-000175 |
The organization manages information system authenticators for users and devices by verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator. |
|
|
|
|
|
|
|
| CCI-000176 |
The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for setting initial authenticator content to ensure they have been defined. |
The organization being inspected/assessed defines and documents procedures for setting initial authenticator content. |
Authenticator Management |
IA-5 |
IA-5.2 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000177 |
The organization manages information system authenticators for users and devices by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators. |
|
|
|
|
|
|
|
| CCI-000178 |
The organization manages information system authenticators for users and devices by changing default content of authenticators upon information system installation. |
|
|
|
|
|
|
|
| CCI-000179 |
The organization manages information system authenticators by establishing minimum lifetime restrictions for authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented minimum lifetime restrictions for authenticators to ensure they have been defined. |
The organization being inspected/assessed defines and documents minimum lifetime restrictions for authenticators. |
Authenticator Management |
IA-5 |
IA-5.13 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000180 |
The organization manages information system authenticators by establishing maximum lifetime restrictions for authenticators. |
Per IA-5, CCI 1610, DoD has established the maximum lifetime restrictions for authenticators as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
Per IA-5, CCI 1610, DoD has established the maximum lifetime restrictions for authenticators as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
Authenticator Management |
IA-5 |
IA-5.14 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000181 |
The organization manages information system authenticators by establishing reuse conditions for authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented reuse conditions for authenticators to ensure they have been defined. |
The organization being inspected/assessed defines and documents the reuse conditions for authenticators. |
Authenticator Management |
IA-5 |
IA-5.15 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000182 |
The organization manages information system authenticators by changing/refreshing authenticators in accordance with the organization-defined time period by authenticator type. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for authenticator change/refresh to ensure the procedures are defined.
The organization conducting the inspection/assessment obtains and examines a sampling of authenticator age data to ensure that authenticators are changed or refreshed in the following time periods:
CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years.
DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
The organization being inspected/assessed documents and implements procedures for changing/refreshing authenticators in the following time periods:
CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years.
DoD has defined the time period as CAC - every 3 years, or 1 year from term of contract
Password: 60 days
Biometrics: every 3 years. |
Authenticator Management |
IA-5 |
IA-5.16 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000183 |
The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to protect authenticator content from unauthorized disclosure to ensure the procedures are defined. |
The organization being inspected/assessed documents and implements procedures to protect authenticator content from unauthorized disclosure. |
Authenticator Management |
IA-5 |
IA-5.19 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-000184 |
The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators. |
|
|
|
|
|
|
|
| CCI-000185 |
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to validate DoD-approved PKI credentials in accordance with RFC 5280.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to perform a revocation check as part of the certificate validation process.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 185. |
The information system performing hardware token-based authentication must be configured to validate DoD-approved PKI credentials in accordance with RFC 5280.
The information system must be configured to perform a revocation check as part of the certificate validation process. Revocation checking may be performed using certificate revocation lists (CRLs) published by the issuing PKI or Online Certificate Status Protocol (OCSP) services.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 185. |
Authenticator Management | PKI-Based Authentication |
IA-5 (2) |
IA-5(2).1 |
Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-000186 |
The information system, for PKI-based authentication, enforces authorized access to the corresponding private key. |
The organization conducting the inspection/assessment examines the information system to ensure the information system does not contain any users' private keys.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to store its own private key in a FIPS 140-2 validated cryptographic module. |
Information systems must not have access to users' private keys. The cryptographic container in which the private keys are stored (e.g. smart card or software module) implements access controls and protections to ensure that only the authorized user can activate the private key. DoD users agree to protect their PKI credentials in accordance with the DD-2842 agreement that is executed for each credential. They are reminded of these responsibilities in annual IA training.
The private key identifying the information system must be stored in a cryptographic container that is FIPS 140-2 validated. Only authorized information system operators should have access to activation data (e.g. password or PIN) for the private key. |
Authenticator Management | PKI-Based Authentication |
IA-5 (2) |
IA-5(2).2 |
Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-000187 |
The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to map authenticated PKI credentials to corresponding network or information system accounts or roles in accordance with DoDI 8520.03.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 187. |
The information system performing PKI-based authentication must be configured to map the authenticated PKI credential to a corresponding network or information system account or role in accordance with DoDI 8520.03.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 187. |
Authenticator Management | PKI-Based Authentication |
IA-5 (2) |
IA-5(2).3 |
Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-000188 |
The organization requires that the registration process to receive an organizational-defined type of authenticator be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor). |
|
|
|
|
|
|
|
| CCI-000189 |
The organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwise compromise the authenticators. |
|
|
|
|
|
|
|
| CCI-000190 |
The organization requires vendors/manufacturers of information system components to provide unique authenticators or change default authenticators prior to delivery. |
|
|
|
|
|
|
|
| CCI-000191 |
The organization enforces password complexity by the number of special characters used. |
|
|
|
|
|
|
|
| CCI-000201 |
The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to ensure the organization being inspected/assessed protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
The organization being inspected/assessed documents and implements procedures to protect authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
Authenticator Management | Protection Of Authenticators |
IA-5 (6) |
IA-5(6).1 |
For information systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. |
The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
| CCI-000202 |
The organization ensures unencrypted static authenticators are not embedded in access scripts. |
The organization conducting the inspection/assessment obtains and examines the requirements that unencrypted static authenticators not be embedded in access scripts to ensure the organization being inspected/assessed ensures unencrypted static authenticators are not embedded in access scripts. |
The organization being inspected/assessed documents and implements requirements that unencrypted static authenticators not be embedded in access scripts. |
Authenticator Management | No Embedded Unencrypted Static Authenticators |
IA-5 (7) |
IA-5(7).1 |
Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password). |
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. |
| CCI-000204 |
The organization defines the security safeguards required to manage the risk of compromise due to individuals having accounts on multiple information systems. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security safeguards as
policies and user training including advising users not to use the same password for any of the following:
Domains of differing classification levels.
More than one domain of a classification level (e.g., internal agency network and Intelink).
More than one privilege level (e.g., user, administrator). |
DoD has defined the security safeguards as
policies and user training including advising users not to use the same password for any of the following:
Domains of differing classification levels.
More than one domain of a classification level (e.g., internal agency network and Intelink).
More than one privilege level (e.g., user, administrator). |
Authenticator Management | Multiple Information System Accounts |
IA-5 (8) |
IA-5(8).1 |
When individuals have accounts on multiple information systems, there is the risk that the compromise of one account may lead to the compromise of other accounts if individuals use the same authenticators. Possible alternatives include, for example: (i) having different authenticators on all systems; (ii) employing some form of single sign-on mechanism; or (iii) including some form of one-time passwords on all systems. |
The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems. |
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of upper case characters used.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 192. |
The organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of upper case characters used.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 192. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).1 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of lower case characters used.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 193. |
The organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of lower case characters used.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 193. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).2 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of numeric characters used.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 194. |
The organization being inspected/assessed configures the information system to enforce password complexity by the minimum number of numeric characters used.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 194. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).4 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce that at least 50% of the minimum password length is changed.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 195.
DoD has defined the minimum number of characters as 50% of the minimum password length. |
The organization being inspected/assessed configures the information system to enforce that at least 50% of the minimum password length is changed.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 195.
DoD has defined the minimum number of characters as 50% of the minimum password length. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).10 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to store only encrypted representations of passwords.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 196. |
The organization being inspected/assessed configures the information system to store only encrypted representations of passwords.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 196. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).12 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to transmit only encrypted representations of passwords.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 197. |
The organization being inspected/assessed configures the information system to transmit only encrypted representations of passwords.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 197. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).13 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000198 |
The information system enforces minimum password lifetime restrictions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce minimum password lifetime restrictions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 198. |
The organization being inspected/assessed configures the information system to enforce minimum password lifetime restrictions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 198. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).14 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce maximum password lifetime restrictions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 199. |
The organization being inspected/assessed configures the information system to enforce maximum password lifetime restrictions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 199. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).15 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit reuse for a minimum of 5 generations.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 200.
DoD has defined the number of generations as a minimum of 5. |
The organization being inspected/assessed configures the information system to prohibit reuse for a minimum of 5 generations.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 200.
DoD has defined the number of generations as a minimum of 5. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).18 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-000203 |
The organization ensures unencrypted static authenticators are not stored on function keys. |
The organization conducting the inspection/assessment obtains and examines the requirements that unencrypted static authenticators not be stored on function keys to ensure the organization being inspected/assessed ensures unencrypted static authenticators are not stored on function keys. |
The organization being inspected/assessed documents and implements requirements that unencrypted static authenticators not be stored on function keys. |
Authenticator Management | No Embedded Unencrypted Static Authenticators |
IA-5 (7) |
IA-5(7).2 |
Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password). |
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. |
| CCI-000205 |
The information system enforces minimum password length. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce minimum password length.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 205. |
The organization being inspected/assessed configures the information system to enforce minimum password length.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 205. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).3 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-001544 |
The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use. |
The organization conducting the inspection/assessment obtains and examines documented authenticator strength mechanisms to ensure that they are defined and that the mechanisms have sufficient strength for the intended use of the authenticators. |
The organization being inspected/assessed documents and implements authenticator strength mechanisms sufficient for the intended use of the authenticators. |
Authenticator Management |
IA-5 |
IA-5.3 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001622 |
The organization identifies personnel with incident response roles and responsibilities with respect to the information system. |
|
|
|
|
|
|
|
| CCI-001623 |
The incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities. |
|
|
|
|
|
|
|
| CCI-000813 |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming an incident response role or responsibility. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as training records for a sampling of information system users to ensure the organization being inspected/assessed provides incident response training to information system users consistent with assigned roles and responsibilities within 30 working days of assuming an incident response role or responsibility.
DoD has defined the time period as 30 working days. |
The organization being inspected/assessed documents and implement a process to provide incident response training to information system users consistent with assigned roles and responsibilities within 30 working days of assuming an incident response role or responsibility.
The organization must maintain a record of training.
DoD has defined the time period as 30 working days. |
Incident Response Training |
IR-2 |
IR-2.1 |
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000814 |
The organization provides incident response training in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as training records for a sampling of information system users to ensure the organization being inspected/assessed provides incident response training to information system users, other than general users, consistent with assigned roles and responsibilities annually.
For general users, DoD components are automatically compliant with the requirement based on DoDD 8570.01 requirements for IA awareness training.
DoD has defined the frequency as annually. |
The organization being inspected/assessed documents and implements a process to provide incident response training to information system users, other than general users, consistent with assigned roles and responsibilities annually.
For general users, DoD components are automatically compliant with the requirement based on DoDD 8570.01 requirements for IA awareness training.
The organization must maintain a record of training.
DoD has defined the frequency as annually.
|
Incident Response Training |
IR-2 |
IR-2.3 |
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000815 |
The organization defines a frequency for incident response training. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Incident Response Training |
IR-2 |
IR-2.4 |
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000816 |
The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. |
The organization conducting the inspection/assessment obtains and examines incident response training materials and a record of training events to ensure that simulated events have been included. |
The organization being inspected/assessed will document a process to include simulated events into incident response training to facilitate effective response by personnel in crisis situations.
The process to include simulated events shall be documented IAW CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2.
The organization must maintain a record of incident response training to include simulated events. |
Incident Response Training | Simulated Events |
IR-2 (1) |
IR-2(1).1 |
|
The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. |
| CCI-000817 |
The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment. |
The organization conducting the inspection/assessment obtains and examines the automated mechanism such as scenario-based interactive online training/CBT to verify that it provides a realistic incident response training environment. |
The organization being inspected/assessed employs an automated mechanism such as scenario-based interactive online training/CBT providing a realistic incident response training environment. |
Incident Response Training | Automated Training Environments |
IR-2 (2) |
IR-2(2).1 |
|
The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment. |
| CCI-001624 |
The organization documents the results of incident response tests. |
The organization conducting the inspection/assessment obtains and examines:
1. the organization's incident response plan to identify organization's testing schedule and,
2. results of previous incident response tests to ensure the organization is documenting the results IAW their incident response plan. |
The organization being inspected/assessed will document the results of incident response tests. |
Incident Response Testing |
IR-3 |
IR-3.4 |
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to
determine the incident response effectiveness and documents the results. |
| CCI-000818 |
The organization tests the incident response capability for the information system on an organization-defined frequency using organization-defined tests to determine the incident response effectiveness. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of test results to ensure the organization being inspected/assessed tests its incident response capability for the information system at least every six months for high availability and at least annually for low/med availability using tests and as defined in the incident response plan.
DoD has defined the frequency as at least every six months for high availability and at least annually for low/med availability.
DoD has defined the tests as tests as defined in the incident response plan. |
The organization being inspected/assessed documents and implements a process to test its incident response capability for the information system at least every six months for high availability and at least annually for low/med availability using tests and as defined in the incident response plan.
The organization must maintain a record of test results.
DoD has defined the frequency as at least every six months for high availability and at least annually for low/med availability.
DoD has defined the tests as tests as defined in the incident response plan. |
Incident Response Testing |
IR-3 |
IR-3.1 |
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to
determine the incident response effectiveness and documents the results. |
| CCI-000819 |
The organization defines a frequency for incident response tests. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least every six months for high availability and at least annually for low/med availability. |
DoD has defined the frequency as at least every six months for high availability and at least annually for low/med availability. |
Incident Response Testing |
IR-3 |
IR-3.2 |
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to
determine the incident response effectiveness and documents the results. |
| CCI-000820 |
The organization defines tests for incident response. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the tests as tests as defined in the incident response plan. |
DoD has defined the tests as tests as defined in the incident response plan. |
Incident Response Testing |
IR-3 |
IR-3.3 |
Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP-4, IR-8. |
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to
determine the incident response effectiveness and documents the results. |
| CCI-000821 |
The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability. |
The organization conducting the inspection/assessment obtains and examines the identified automated mechanisms in use to test the incident response capability for the information system. |
The organization being inspected/assessed will identify and employ automated mechanisms to test the incident response capability for the information system. |
Incident Response Testing | Automated Testing |
IR-3 (1) |
IR-3(1).1 |
Organizations use automated mechanisms to more thoroughly and effectively test incident response capabilities, for example: (i) by providing more complete coverage of incident response issues; (ii) by selecting more realistic test scenarios and test environments; and (iii) by stressing the response capability. Related control: AT-2. |
The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability. |
| CCI-001625 |
The organization implements the resulting incident handling activity changes to incident response procedures, training, and testing/exercises accordingly. |
The organization conducting the inspection/assessment obtains and examines
recent changes to the incident response plan (based on IR-4, CCI 000824) to verify that they have been disseminated and reviews the most recent after action report to ensure that changes have been followed.
|
The organization being inspected/assessed will
follow the latest incident response plan (IR-8) that has been revised (based on IR-4, CCI-000824) and disseminated.
|
Incident Handling |
IR-4 |
IR-4.4 |
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. |
| CCI-000822 |
The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the CNDSP leveraged as well as the documented procedures for incident handling to ensure that there is a certified CNDSP in use and that there are procedures implemented to handle incidents until they are transferred to the responsibility of the CNDSP.
|
The organization being inspected/assessed must have a documented and certified CNDSP and documented procedures for information system users and site security personnel to handle incidents until they are transferred to the responsibility of the CNDSP.
|
Incident Handling |
IR-4 |
IR-4.1 |
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. |
| CCI-000823 |
The organization coordinates incident handling activities with contingency planning activities. |
The organization conducting the inspection/assessment obtains and examines the incident response plan (IR-8) and contingency plan (CP-2) to ensure they allow for an effective transfer of information system activity and maintain confidentiality and integrity of the contigency assets.
|
The organization being inspected/assessed will coordinate the incident response plan (IR-8) and contingency plan (CP-2) to ensure they allow for an effective transfer of information system activity and maintain confidentiality and integrity of the contigency assets.
|
Incident Handling |
IR-4 |
IR-4.2 |
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. |
| CCI-000824 |
The organization incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises. |
The organization conducting the inspection/assessment obtains and examines after action reports or meeting minutes to identify actionable lessons learned to verify that lessons learned are incorporated into the plan as changes are necessary. |
The organization being inspected/assessed will conduct after action reviews from incidents to identify lessons learned and will incorporate them into procedures, training, and testing/exercises.
The organization must maintain records of after action reviews. |
Incident Handling |
IR-4 |
IR-4.3 |
Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. |
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. |
| CCI-000825 |
The organization employs automated mechanisms to support the incident handling process. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Handling | Automated Incident Handling Processes |
IR-4 (1) |
IR-4(1).1 |
Automated mechanisms supporting incident handling processes include, for example, online incident management systems. |
The organization employs automated mechanisms to support the incident handling process. |
| CCI-000826 |
The organization includes dynamic reconfiguration of organization-defined information system components as part of the incident response capability. |
The organization conducting the inspection/assessment obtains and examines the incident response plan and verifies it has procedures addressing dynamic reconfiguration of information system components defined in IR-4 (2), CCI 2781 as part of the incident response capability IAW CM-3. |
The organization being inspected/assessed will ensure that their incident response plan includes procedures for dynamic reconfiguration of information system components defined in IR-4 (2), CCI 2781 as part of the incident response capability IAW CM-3.
Dynamic reconfiguration bypasses the organization's standard CCB process and may include, for example, changes to router rules, access control lists, intrusion detection/prevention systems, firewalls, etc. Organizations will have procedures to examine dynamic reconfiguration changes at the earliest opportunity IAW CCB. |
Incident Handling | Dynamic Reconfiguration |
IR-4 (2) |
IR-4(2).1 |
Dynamic reconfiguration includes, for example, changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways. Organizations perform dynamic reconfiguration of information systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include time frames for achieving the reconfiguration of information systems in the definition of the reconfiguration capability, considering the potential need for rapid response in order to effectively address sophisticated cyber threats. Related controls: AC-2, AC-4, AC-16, CM-2, CM-3, CM-4. |
The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability. |
| CCI-000827 |
The organization defines and identifies classes of incidents for which organization-defined actions are to be taken to ensure continuation of organizational mission and business functions. |
CJCSM 6510.01B has already identified DoD's classes of incidents.
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the classes of incidents as classes of incidents defined in CJCSM 6510.01B Appendix A- Enclosure B.6510.01M |
CJCSM 6510.01B has already identified DoD's classes of incidents.
DoD Components are automatically compliant with this CCI because DoD has defined the classes of incidents as classes of incidents defined in CJCSM 6510.01B Appendix A- Enclosure B. |
Incident Handling | Continuity Of Operations |
IR-4 (3) |
IR-4(3).1 |
Classes of incidents include, for example, malfunctions due to design/implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Appropriate incident response actions include, for example, graceful degradation, information system shutdown, fall back to manual mode/alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved solely for when systems are under attack. |
The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions. |
| CCI-000828 |
The organization defines and identifies actions to take in response to organization-defined classes of incidents to ensure continuation of organizational missions and business functions. |
CJCSM 6510.01B has already identified DoD's actions to take in response to classes of incidents.
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the actions as actions defined in CJCSM 6510.01B. |
CJCSM 6510.01B has already identified DoD's actions to take in response to classes of incidents.
DoD Components are automatically compliant with this CCI because DoD has defined the actions as actions defined in CJCSM 6510.01B. |
Incident Handling | Continuity Of Operations |
IR-4 (3) |
IR-4(3).2 |
Classes of incidents include, for example, malfunctions due to design/implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Appropriate incident response actions include, for example, graceful degradation, information system shutdown, fall back to manual mode/alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved solely for when systems are under attack. |
The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions. |
| CCI-000829 |
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. |
The organization conducting the inspection/assessment obtains and examines proof of the analysis (such as minutes from an incident response after action meeting or other similar activity) to ensure that incident information is being examined and correlated.
|
The organization being inspected/assessed defines procedures to examine incident information gathered and the actual actions taken by both the individuals affected and the incident response personnel. These procedures shall be defined IAW CJCSM 6510.01B. The end goal is to achieve a top level perspective of the effectiveness of the incident response and awareness.
|
Incident Handling | Information Correlation |
IR-4 (4) |
IR-4(4).1 |
Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations. |
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. |
| CCI-000830 |
The organization defines security violations that, if detected, initiate a configurable capability to automatically disable the information system. |
The organization conducting the inspection/assessment obtains and examines the list of documented security violations to ensure the organization has clearly identified those violations that initiate an automated disabling or shut down of the information system.
DoD has determined the security violations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and document a list of security violations that upon occurrence initiate an automated action to disable or shutdown the information system.
Violations may be identified by specific activity or by class/type of activity.
DoD has determined the security violations are not appropriate to define at the Enterprise level. |
Incident Handling | Automatic Disabling Of Information System |
IR-4 (5) |
IR-4(5).1 |
|
The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected. |
| CCI-000831 |
The organization implements a configurable capability to automatically disable the information system if organization-defined security violations are detected. |
The organization conducting the inspection/assessment examines the information system to ensure an automated mechanism is configured to disable or shutdown the information system based on the identified security violations (IR-4 (5), CCI 000830).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 831. |
The organization being inspected/assessed will clearly identify, document, and implement a configurable automated mechanism (or mechanisms) that utilizes the list of security violations identified in IR-4 (5), CCI 000830 to disable or shutdown the information system.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 831.
|
Incident Handling | Automatic Disabling Of Information System |
IR-4 (5) |
IR-4(5).2 |
|
The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected. |
| CCI-001626 |
The organization employs automated mechanisms to assist in the collection of security incident information. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Monitoring | Automated Tracking / Data Collection / Analysis |
IR-5 (1) |
IR-5(1).2 |
Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents. Related controls: AU-7, IR-4. |
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. |
| CCI-001627 |
The organization employs automated mechanisms to assist in the analysis of security incident information. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Monitoring | Automated Tracking / Data Collection / Analysis |
IR-5 (1) |
IR-5(1).3 |
Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents. Related controls: AU-7, IR-4. |
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. |
| CCI-000832 |
The organization tracks and documents information system security incidents. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Monitoring |
IR-5 |
IR-5.1 |
Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Related controls: AU-6, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. |
The organization tracks and documents information system security incidents. |
| CCI-000833 |
The organization employs automated mechanisms to assist in the tracking of security incidents. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Monitoring | Automated Tracking / Data Collection / Analysis |
IR-5 (1) |
IR-5(1).1 |
Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents. Related controls: AU-7, IR-4. |
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. |
| CCI-001628 |
The organization defines a frequency with which to review and update the current system maintenance procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000854 |
The organization reviews and updates the current system maintenance policy in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the maintenance policy to ensure review is occurring every 5 years and updates are made as necessary.
DoD has defined the frequency as every 5 years. |
The organization being inspected/assessed reviews the current system maintenance policy every 5 years and revises as necessary to comply with DoD regulations.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the frequency as every 5 years. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000855 |
The organization develops and documents procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls. |
The organization conducting the inspection/assessment obtains and examines the Security Plan to ensure maintenance procedures are documented and are developed IAW maintenance policy provided in DoDI 8500.01..
|
The organization being inspected/assessed documents the maintenance procedures within the Security Plan. The maintenance procedures shall be developed IAW maintenance policy provided in DoDI 8500.01.. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000856 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls. |
The organization conducting the inspection/assessment examines the maintenance procedures via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated to the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
The organization being inspected/assessed ensures the maintenance procedures are disseminated to the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system via an information sharing capability.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000857 |
The organization reviews and updates the current system maintenance procedures in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the maintenance procedures to ensure annual review and necessary updates are occurring.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews the current system maintenance procedures annually and revises as needed to comply with DoD regulations.
The organization must document each occurrence of the reviews and update actions as an audit trail.
DoD has defined the frequency as annually. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000851 |
The organization defines the frequency with which to review and update the current system maintenance policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 5 years. |
DoD has defined the frequency as every 5 years. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000852 |
The organization develops and documents a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization conducting the inspection/assessment obtains and examines the documented maintenance policy to ensure the organization being inspected/assessed develops and documents a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
The organization being inspected/assessed develops and documents a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-000853 |
The organization disseminates to organization-defined personnel or roles a system maintenance policy. |
The organization conducting the inspection/assessment obtains and examines the maintenance policy via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated to the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system.
|
The organization being inspected/assessed ensures the maintenance policy is disseminated to the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-001629 |
The organization employs automated mechanisms to produce up-to-date, accurate, complete, and available records of all maintenance and repair actions needed, in process, and complete. |
|
|
|
|
|
|
|
| CCI-000858 |
The organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
|
|
|
|
|
|
|
| CCI-000859 |
The organization approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location. |
The organization conducting the inspection/assessment obtains and examines records of all approvals and monitoring activities to ensure the organization being inspected/assessed approves and monitors all maintenance activities whether performed on site or remotely and whether the equipment is serviced on site or removed to another location. |
The organization being inspected/assessed approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location.
The organization must maintain records of all approvals and monitoring activities. |
Controlled Maintenance |
MA-2 |
MA-2.9 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-000860 |
The organization requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. |
The organization conducting the inspection/assessment obtains and examines: 1. the organization's risk management strategy to ensure the personnel or roles defined in MA-2, CCI 2874 have been designated to approve the removal of the information system or system components;
2. and written records of approval for the removal of the information system or system components from organizational facilities for off-site maintenance or repairs to ensure the removal is explicitly approved. |
The organization being inspected/assessed documents within their risk management strategy personnel or roles defined in MA-2, CCI 2874 who must explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.
The organization must maintain written records of approval for the removal of the information system or system components from organizational facilities for off-site maintenance or repairs. |
Controlled Maintenance |
MA-2 |
MA-2.10 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-000861 |
The organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs. |
The organization conducting the inspection/assessment obtains and examines written records of media sanitization to ensure the organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs. |
The organization being inspected/assessed sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs IAW DoDM 5200.01-V3 for classified media and DoDM 5200.01-V4 for unclassified media.
The organization must maintain written records of media sanitization. |
Controlled Maintenance |
MA-2 |
MA-2.12 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-000862 |
The organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions. |
The organization conducting the inspection/assessment obtains and examines documented evidence of the verification of security controls following maintenance and repair actions to ensure that the organization being inspected/assessed checks all potentially impacted security controls to verify that they are still functioning properly. |
The organization being inspected/assessed identifies and documents the impacted security controls and takes steps to verify that the controls are still functioning properly following maintenance or repair actions. |
Controlled Maintenance |
MA-2 |
MA-2.13 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-000863 |
The organization maintains maintenance records for the information system that include the date and time of maintenance, the name of the individual performing the maintenance, the name of escort, if necessary, a description of the maintenance performed, and a list of equipment removed or replaced (including identification numbers, if applicable). |
|
|
|
|
|
|
|
| CCI-000864 |
The organization employs automated mechanisms to schedule, conduct, and document maintenance and repairs as required. |
|
|
|
|
|
|
|
| CCI-001630 |
Designated organizational personnel review the maintenance records of the non-local maintenance and diagnostic sessions. |
|
|
|
|
|
|
|
| CCI-001631 |
The organization, before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. |
The organization conducting the inspection/assessment obtains and examines maintenance procedures for all non-local maintenance and diagnostic services to ensure that the organization being inspected/assessed sanitizes and inspects serviced components prior to reusing them on any information system.
Alternatively, the organization conducting the inspection/assessment ensures the organization being inspected/assessed complies with MA-4 (3) CCI 882. |
The organization being inspected/assessed sanitizes and inspects serviced components prior to reusing them on any information system.
Alternatively, the organization being inspected/assessed complies with MA-4 (3) CCI 882. |
Nonlocal Maintenance | Comparable Security / Sanitization |
MA-4 (3) |
MA-4(3).3 |
Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. Related controls: MA-3, SA-12, SI-3, SI-7. |
The organization:
(a) Requires that non-local maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
(b) Removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. |
| CCI-001632 |
The organization protects nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1632. |
The organization being inspected/assessed configures the information system to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1632. |
Nonlocal Maintenance | Authentication / Separation Of Maintenance Sessions |
MA-4 (4) |
MA-4(4).3 |
Related control: SC-13. |
The organization protects non-local maintenance sessions by:
(a) Employing [Assignment: organization-defined authenticators that are replay resistant]; and
(b) Separating the maintenance sessions from other network sessions with the information system by either:
- Physically separated communications paths; or
- Logically separated communications paths based upon encryption. |
| CCI-000873 |
The organization approves nonlocal maintenance and diagnostic activities. |
The organization conducting the inspection/assessment obtains and examines:
1. the Security Plan to ensure the procedures for approving non-local maintenance and diagnostic activities are documented; and
2. records approving non-local maintenance and diagnostic activities. |
The organization being inspected/assessed documents the procedures for approving non-local maintenance and diagnostic activities within the Security Plan.
The organization must maintain records of approved non-local maintenance and diagnostic activities. |
Nonlocal Maintenance |
MA-4 |
MA-4.1 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000874 |
The organization monitors nonlocal maintenance and diagnostic activities. |
The organization conducting the inspection/assessment obtains and examines:
1. the Security Plan to identify the authorized non-local maintenance and diagnostic activities; and
2. documented procedures to identify how the use of non-local maintenance and diagnostic activities are monitored; and
3. reviews evidence that the monitoring is conducted IAW the documented procedures. |
The organization being inspected/assessed develops and implements procedures to monitor non-local maintenance and diagnostic activities.
Records of monitoring activity must be maintained. |
Nonlocal Maintenance |
MA-4 |
MA-4.2 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000875 |
The organization controls non-local maintenance and diagnostic activities. |
|
|
|
|
|
|
|
| CCI-000876 |
The organization allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system. |
The organization conducting the inspection/assessment obtains and examines:
1. the Security Plan to ensure non-local maintenance and diagnostic tools have been identified; and
2. maintenance records to ensure only those tools allowed are used IAW MA-4, CCI 873. |
The organization being inspected/assessed:
1. documents within the Security Plan the non-local maintenance and diagnostic tools that are allowed; and
2. allows the use of non-local maintenance and diagnostic tools IAW the tools identified in the Security Plan and MA-4, CCI 873. |
Nonlocal Maintenance |
MA-4 |
MA-4.3 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000877 |
The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 877. |
The organization being inspected/assessed configures the information system to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 877. |
Nonlocal Maintenance |
MA-4 |
MA-4.4 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000878 |
The organization maintains records for nonlocal maintenance and diagnostic activities. |
The organization conducting the inspection/assessment obtains records of authorized non-local maintenance and diagnostic activities, and examines a sampling to verify the organization is maintaining records for all non-local maintenance and diagnostic activities. |
The organization being inspected/assessed maintains records of authorized non-local maintenance and diagnostic activities. |
Nonlocal Maintenance |
MA-4 |
MA-4.5 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000879 |
The organization terminates sessions and network connections when nonlocal maintenance is completed. |
The organization conducting the inspection/assessment obtains and examines audit logs of session and network connections termination for non-local maintenance to ensure session and network connections are terminated when non-local maintenance is completed. |
The organization being inspected/assessed terminates session and network connections when non-local maintenance is completed.
The organization must retain audit logs of session and network connections termination for non-local maintenance. |
Nonlocal Maintenance |
MA-4 |
MA-4.6 |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed. |
| CCI-000880 |
The organization audits non-local maintenance and diagnostic sessions. |
|
|
|
|
|
|
|
| CCI-000881 |
The organization documents, in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. |
The organization conducting the inspection/assessment obtains and examines the Security Plan to ensure the plan identifies the establishment and use of non-local maintenance and diagnostic connections. |
The organization being inspected/assessed documents within the Security Plan the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. |
Nonlocal Maintenance | Document Nonlocal Maintenance |
MA-4 (2) |
MA-4(2).1 |
|
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. |
| CCI-000882 |
The organization requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced. |
The organization conducting the inspection/assessment obtains and examines contracts and/or service level agreements for all non-local maintenance and diagnostic services to ensure that any IS used for those services is required to have security level at least as high as the security level implemented on the IS being serviced.
Alternatively, the organization conducting the inspection/assessment ensures the organization being inspected/assessed complies with MA-4 (3) CCIs 883 and 1631. |
The organization being inspected/assessed clearly defines in its contracts and/or service level agreements the requirement that any IS used to conduct non-local maintenance and diagnostic services will have a security level at least as high as the security level implemented on the IS being serviced.
Alternatively, the organization being inspected/assessed complies with MA-4 (3) CCIs 883 and 1631. |
Nonlocal Maintenance | Comparable Security / Sanitization |
MA-4 (3) |
MA-4(3).1 |
Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. Related controls: MA-3, SA-12, SI-3, SI-7. |
The organization:
(a) Requires that non-local maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
(b) Removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. |
| CCI-000883 |
The organization removes the component to be serviced from the information system and prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities. |
The organization conducting the inspection/assessment obtains and examines maintenance procedures for all non-local maintenance and diagnostic services to ensure that the organization being inspected/assessed sanitizes components before removal from organizational facilities.
Alternatively, the organization conducting the inspection/assessment ensures the organization being inspected/assessed complies with MA-4 (3) CCI 882. |
The organization being inspected/assessed removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities.
Alternatively, the organization being inspected/assessed complies with MA-4 (3) CCI 882. |
Nonlocal Maintenance | Comparable Security / Sanitization |
MA-4 (3) |
MA-4(3).2 |
Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. Related controls: MA-3, SA-12, SI-3, SI-7. |
The organization:
(a) Requires that non-local maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
(b) Removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. |
| CCI-000884 |
The organization protects nonlocal maintenance sessions by employing organization-defined authenticators that are replay resistant. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect nonlocal maintenance sessions by employing authenticators defined in MA-4 (4), CCI 2887 that are replay resistant.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 884. |
The organization being inspected/assessed configures the information system to protect nonlocal maintenance sessions by employing authenticators defined in MA-4 (4), CCI 2887 that are replay resistant.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 884. |
Nonlocal Maintenance | Authentication / Separation Of Maintenance Sessions |
MA-4 (4) |
MA-4(4).1 |
Related control: SC-13. |
The organization protects non-local maintenance sessions by:
(a) Employing [Assignment: organization-defined authenticators that are replay resistant]; and
(b) Separating the maintenance sessions from other network sessions with the information system by either:
- Physically separated communications paths; or
- Logically separated communications paths based upon encryption. |
| CCI-000885 |
The organization requires that maintenance personnel notify organization-defined personnel when non-local maintenance is planned (i.e., date/time). |
|
|
|
|
|
|
|
| CCI-000886 |
The organization defines the personnel or roles to be notified of the date and time of planned nonlocal maintenance. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the user base which could be impacted by the maintenance event. |
DoD has defined the personnel or roles as the user base which could be impacted by the maintenance event. |
Nonlocal Maintenance | Approvals And Notifications |
MA-4 (5) |
MA-4(5).3 |
Notification may be performed by maintenance personnel. Approval of nonlocal maintenance sessions is accomplished by organizational personnel with sufficient information security and information system knowledge to determine the appropriateness of the proposed maintenance. |
The organization:
(a) Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
(b) Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance. |
| CCI-000887 |
The organization requires the approval of each nonlocal maintenance session by organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the maintenance procedures and historical approvals to ensure that the ISSO approves the non-local maintenance.
DoD has defined the personnel or roles as the ISSO. |
The organization being inspected/assessed defines within their maintenance procedures a process for the ISSO to approve the non-local maintenance.
Written approval must be maintained.
DoD has defined the personnel or roles as the ISSO. |
Nonlocal Maintenance | Approvals And Notifications |
MA-4 (5) |
MA-4(5).1 |
Notification may be performed by maintenance personnel. Approval of nonlocal maintenance sessions is accomplished by organizational personnel with sufficient information security and information system knowledge to determine the appropriateness of the proposed maintenance. |
The organization:
(a) Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
(b) Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance. |
| CCI-000888 |
The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. |
|
|
|
|
|
|
|
| CCI-000889 |
The organization employs remote disconnect verification at the termination of non-local maintenance and diagnostic sessions. |
|
|
|
|
|
|
|
| CCI-001633 |
The organization defines removable media types and information output requiring marking. |
|
|
|
|
|
|
|
| CCI-001010 |
The organization marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information. |
The organization conducting the inspection/assessment obtains a sampling of information system media and information system output to verify that it is marked in compliance with DoDM 5200.01 Vol. 1-4. |
The organization being inspected/assessed marks information system media and information system output IAW DoDM 5200.01 Vol. 1-4. |
Media Marking |
MP-3 |
MP-3.1 |
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. |
The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. |
| CCI-001011 |
The organization exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas. |
The organization conducting the inspection/assessment examines information system media to ensure it is marked IAW DoDM 5200.01 Vol. 1-4. |
All information system media must be marked in all areas IAW DoDM 5200.01 Vol. 1-4. |
Media Marking |
MP-3 |
MP-3.2 |
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. |
The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. |
| CCI-001012 |
The organization defines types of information system media to exempt from marking as long as the media remain within organization-defined controlled areas. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the list of information system media as nothing unless otherwise exempted by DoDI 5200.01 and DoDM 5200.01 Vol 1-4 |
DoD has defined the list of information system media as nothing unless otherwise exempted by DoDI 5200.01 and DoDM 5200.01 Vol 1-4. |
Media Marking |
MP-3 |
MP-3.3 |
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. |
The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. |
| CCI-001013 |
The organization defines controlled areas where organization-defined types of information system media are exempt from being marked. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the controlled areas as all areas unless otherwise exempted by DoDI 5200.01 and DoDM 5200.01 Vol 1-4 |
DoD has defined the controlled areas as all areas unless otherwise exempted by DoDI 5200.01 and DoDM 5200.01 Vol 1-4 |
Media Marking |
MP-3 |
MP-3.4 |
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. |
The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. |
| CCI-001634 |
The organization identifies authorized personnel with appropriate clearances and access authorizations for gaining physical access to the facility containing an information system that processes classified information. |
|
|
|
|
|
|
|
| CCI-001635 |
The organization removes individuals from the facility access list when access is no longer required. |
The organization conducting the inspection/assessment obtains and examines the review and approval actions documentation to ensure that personnel no longer requiring access have been removed from the authorized access list and their credentials have been revoked. |
The organization being inspected/assessed will remove personnel from the authorized access list who no longer have approved access and revoke their credentials, as identified in actions per PE-2, CCI 914.
The organization must document each removal and revocation action as an audit trail. |
Physical Access Authorizations |
PE-2 |
PE-2.7 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-000912 |
The organization develops a list of individuals with authorized access to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the list of personnel with authorized access to facilities where information systems reside to ensure it is current within every 90 days.
The review process should also determine if the organization has identified and officially designated its publicly accessible areas where access authorization is not required.
DoD has defined the frequency as every 90 days. |
The organization being inspected/assessed will develop and maintain a list of personnel with authorized access to the facilities where information systems reside.
The organization will also take action to identify and officially designate its publicly accessible areas where access authorization is not required. |
Physical Access Authorizations |
PE-2 |
PE-2.1 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-000913 |
The organization issues authorization credentials for facility access. |
The organization conducting the inspection/assessment obtains and examines documentation of credential issuing activities to ensure credentials are issued to personnel with authorized access. |
The organization being inspected/assessed utilizes the list of personnel with authorized access (IAW PE-2, CCI-000912) and issues credentials accordingly.
The organization must document the credential issuing activity as an audit trail. |
Physical Access Authorizations |
PE-2 |
PE-2.4 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-000914 |
The organization reviews the access list detailing authorized facility access by individuals in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit records of the review actions to ensure that reviews are conducted every 90 days.
DoD has defined the frequency as every 90 days. |
The organization being inspected/assessed will review the access list and authorization credentials every 90 days and document these review and approval actions as an audit trail.
DoD has defined the frequency as every 90 days. |
Physical Access Authorizations |
PE-2 |
PE-2.5 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-000915 |
The organization defines the frequency with which to review the access list detailing authorized facility access by individuals. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 90 days. |
DoD has defined the frequency as every 90 days. |
Physical Access Authorizations |
PE-2 |
PE-2.6 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. |
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required. |
| CCI-000916 |
The organization authorizes physical access to the facility where the information system resides based on position or role. |
The organization conducting the inspection/assessment obtains and examines:
1. The list of roles or positions that have access to the facility where the information system resides.
2. The list of personnel assigned to those roles
Recommended:
3. Access logs to verify access to the facility was authorized based on the appropriate roles and positions |
The organization being inspected/assessed must:
1. Develop and document a list of roles or positions that have access to the facility where the information system resides.
2. Identify and document personnel assigned to those roles.
3. Authorize and document access to the facility to personnel in identified roles |
Physical Access Authorizations | Access By Position / Role |
PE-2 (1) |
PE-2(1).1 |
Related controls: AC-2, AC-3, AC-6. |
The organization authorizes physical access to the facility where the information system resides based on position or role. |
| CCI-000917 |
The organization requires two forms of identification from an organization-defined list of acceptable forms of identification for visitor access to the facility where the information system resides. |
The organization conducting the inspection/assessment obtains and examines the inspected organization's physical security policy for requirements and implementation guidance to have two forms of identification defined in PE-2 (2), CCI 2912 and physical access control logs or records; and any other relevant documents or records to validate compliance. |
The organization being inspected/assessed will only grant access to the facility with two organization approved government issued forms of identification defined in PE-2 (2), CCI 2912.
This requirement must be documented within the organization's physical security policy.
The organization must maintain access control documentation as an auditable event per AU-2, CCI 000123. |
Physical Access Authorizations | Two Forms Of Identification |
PE-2 (2) |
PE-2(2).1 |
Acceptable forms of government photo identification include, for example, passports, Personal Identity Verification (PIV) cards, and drivers' licenses. In the case of gaining access to facilities using automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics. Related controls: IA-2, IA-4, IA-5. |
The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides. |
| CCI-000918 |
The organization restricts physical access to the facility containing an information system that processes classified information to authorized personnel with appropriate clearances and access authorizations. |
|
|
|
|
|
|
|
| CCI-001636 |
The organization defines the frequency with which to review and update the current security planning policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-001637 |
The organization reviews and updates the current security planning policy in accordance with organization-defined frequency. |
DoDI 8510.01 meets the requirements for a security planning policy.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the frequency as every 5 years. |
DoDI 8510.01 meets the requirements for a security planning policy.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the frequency as every 5 years. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-001638 |
The organization defines the frequency with which to review and update the current security planning procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-000563 |
The organization develops and documents a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01. |
DoDI 8510.01 meets the requirements for a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-000564 |
The organization disseminates a security planning policy to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the roles as organizational personnel with planning responsibilities or information security responsibilities. |
DoD disseminates DoDI 8510.01 via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) to organizational personnel with planning responsibilities or information security responsibilities.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the roles as organizational personnel with planning responsibilities or information security responsibilities. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-000565 |
The organization reviews/updates, per organization-defined frequency, a formal, documented security planning policy. |
|
|
|
|
|
|
|
| CCI-000566 |
The organization develops and documents procedures to facilitate the implementation of the security planning policy and associated security planning controls. |
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01. |
DoDI 8510.01 meets the requirements for developing and documenting procedures to facilitate the implementation of the security planning policy and associated security planning controls.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-000567 |
The organization disseminates security planning procedures to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the roles as organizational personnel with planning responsibilities or information security responsibilities. |
DoD disseminates DoDI 8510.01 via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) to organizational personnel with planning responsibilities or information security responsibilities.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the roles as organizational personnel with planning responsibilities or information security responsibilities. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-000568 |
The organization reviews and updates the current security planning procedures in accordance with organization-defined frequency. |
DoDI 8510.01 meets the requirements for a security planning policy.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoDI 8510.01 meets the requirements for a security planning policy.
DoD Components are automatically compliant with this CCI because they are covered by DoD level policy, DoDI 8510.01.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Security Planning Policy And Procedures |
PL-1 |
PL-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency]. |
| CCI-001639 |
The organization makes readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior with regard to information and information system usage. |
The organization conducting the inspection/assessment obtains and examines rules that describe information system user responsibilities via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. |
The organization being inspected/assessed must disseminate to all information system users, via an information sharing capability, rules that describe information system user responsibilities and expected behavior with regard to information and information system usage, acceptable use policy (AUP).
Organizations should disseminate the rules by providing to users and requiring signature of acceptance. |
Rules Of Behavior |
PL-4 |
PL-4.2 |
This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
| CCI-000592 |
The organization establishes the rules describing the responsibilities and expected behavior, with regard to information and information system usage, for individuals requiring access to the information system. |
The organization conducting the inspection/assessment obtains and examines the organization's AUP to ensure the organization has clearly defined and established rules describing information system user responsibilities and expected behavior with regard to information and information system usage. |
The organization being inspected/assessed must develop and document rules that describe information system user responsibilities and expected behavior with regard to information and information system usage, acceptable use policy (AUP).
Organizations should reference Joint Ethics Regulations (DoD 5500.7-R) when developing this policy. |
Rules Of Behavior |
PL-4 |
PL-4.1 |
This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
| CCI-000593 |
The organization receives a signed acknowledgment from individuals requiring access to the information system, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. |
The organization conducting the inspection/assessment obtains a list of individuals with active accounts and validates the existence of signed acknowledgements (paper or electronic signature) of the organizational AUP associated with a sampling of individuals selected from the list. |
The organization being inspected/assessed will obtain signed acknowledgment (paper or electronic signature) from individuals indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system. |
Rules Of Behavior |
PL-4 |
PL-4.3 |
This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. |
| CCI-000594 |
The organization includes in the rules of behavior explicit restrictions on the use of social media/networking sites. |
The organization conducting the inspection/assessment obtains and examines the rules of behavior to ensure the organization being inspected/assessed includes explicit restrictions on the use of social media/networking sites IAW DoDI 8550.01. |
The organization being inspected/assessed includes in the rules of behavior, IAW DoDI 8550.01, explicit restrictions on the use of social media/networking sites. |
Rules Of Behavior | Social Media And Networking Restrictions |
PL-4 (1) |
PL-4(1).1 |
This control enhancement addresses rules of behavior related to the use of social media/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media/networking transactions; and (iii) when personnel are accessing social media/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media/networking sites. |
The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites. |
| CCI-000595 |
The organization includes in the rules of behavior explicit restrictions on posting organizational information on public websites. |
The organization conducting the inspection/assessment obtains and examines the rules of behavior to ensure the organization being inspected/assessed includes explicit restrictions on posting organizational information on public websites IAW DoDI 8550.01. |
The organization being inspected/assessed includes in the rules of behavior, IAW DoDI 8550.01, explicit restrictions on posting organizational information on public websites. |
Rules Of Behavior | Social Media And Networking Restrictions |
PL-4 (1) |
PL-4(1).2 |
This control enhancement addresses rules of behavior related to the use of social media/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media/networking transactions; and (iii) when personnel are accessing social media/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media/networking sites. |
The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites. |
| CCI-000596 |
The organization includes in the rules of behavior, explicit restrictions on sharing information system account information. |
|
|
|
|
|
|
|
| CCI-001640 |
The organization updates the critical infrastructure and key resources protection plan that addresses information security issues. |
DoDD 3020.40 meets the DoD requirement for the development of a critical infrastructure and key resource protection plan.
DoD components are automatically compliant with this CCI as they are covered by the DoD level, DoDD 3020.40. |
DoDD 3020.40 meets the DoD requirement for the development of a critical infrastructure and key resource protection plan.
DoD components are automatically compliant with this CCI as they are covered by the DoD level, DoDD 3020.40. |
Critical Infrastructure Plan |
PM-8 |
PM-8.2 |
Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: PM-1, PM-9, PM-11, RA-3. |
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. |
| CCI-000216 |
The organization develops and documents a critical infrastructure and key resource protection plan that addresses information security issues. |
DoDD 3020.40 meets the DoD requirement for the development of a critical infrastructure and key resource protection plan.
DoD components are automatically compliant with this CCI as they are covered by the DoD level, DoDD 3020.40. |
DoDD 3020.40 meets the DoD requirement for the development of a critical infrastructure and key resource protection plan.
DoD components are automatically compliant with this CCI as they are covered by the DoD level, DoDD 3020.40. |
Critical Infrastructure Plan |
PM-8 |
PM-8.1 |
Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: PM-1, PM-9, PM-11, RA-3. |
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. |
| CCI-001641 |
The organization defines the process for conducting random vulnerability scans on the information system and hosted applications. |
The organization conducting the inspection/assessment obtains and examines random vulnerability process documentation (if applicable) to validate the organization has clearly defined and documented a process for conducting random vulnerability scans on the information system and hosted applications.
If the organization being inspected/assessed has determined they have no requirement for random scanning, there is no requirement for a process. |
DoD has defined the requirement for vulnerability scanning periodicity of every 30 days. If the organization being inspected/assessed has determined a requirement for random scanning they must document that process.
DoD has defined the frequency as every 30 days or as directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Vulnerability Scanning |
RA-5 |
RA-5.4 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001643 |
The organization scans for vulnerabilities in the information system and hosted applications in accordance with the organization-defined process for random scans. |
The organization conducting the inspection/assessment obtains and examines
the vulnerability scanning results every 30 days or as directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs) to verify compliance with the organization being inspected/assessed random vulnerability scanning process.
DoD has defined the frequency as every 30 days or as directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs).
|
The organization being inspected/assessed will conduct random vulnerability scans every 30 days or as directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs).
The organization will document the vulnerability scans as an audit trail for future reference. The audit trail must be maintained IAW DoD, CYBERCOM, or component policies.
DoD has defined the frequency as every 30 days or as directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs).
. |
Vulnerability Scanning |
RA-5 |
RA-5.5 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001644 |
The organization employs vulnerability scanning procedures that can demonstrate the depth of coverage (i.e., vulnerabilities checked). |
|
|
|
|
|
|
|
| CCI-001645 |
The organization identifies the information system components to which privileged access is authorized for selected organization-defined vulnerability scanning activities. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all information systems and infrastructure components. |
DoD has defined the information system components as all information systems and infrastructure components. |
Vulnerability Scanning | Privileged Access |
RA-5 (5) |
RA-5(5).2 |
In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning. |
The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities]. |
| CCI-001054 |
The organization scans for vulnerabilities in the information system and hosted applications on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the organization's vulnerability scanning procedures and results for the 90 days preceding the inspection/assessment.
If the system in question has not been operational for more than 90 days the organization will provide all available scan(s). |
The organization being inspected/assessed will
define, document, and implement procedures for vulnerability scans of the information system and hosted applications; and scan for vulnerabilities in the information system and hosted applications every 30 days or as directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs).
This control is not targeted at security control compliance scanning.
DoD has defined the frequency as every 30 days or as directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Vulnerability Scanning |
RA-5 |
RA-5.1 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001055 |
The organization defines a frequency for scanning for vulnerabilities in the information system and hosted applications. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 30 days or as directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
DoD has defined the frequency as every 30 days or as directed by an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Vulnerability Scanning |
RA-5 |
RA-5.2 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001056 |
The organization scans for vulnerabilities in the information system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported. |
The organization conducting the inspection/assessment obtains and examines the organization's vulnerability scanning procedures and results in order to validate the organization conducts vulnerability scans of its Information System (IS) and hosted applications when new vulnerabilities potentially affecting the IS and/or applications are identified and reported. |
The organization being inspected/assessed will conduct vulnerability scans of the information system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported via authoritative sources (e.g., IAVM, CTO, DTM, STIG, product vendor). |
Vulnerability Scanning |
RA-5 |
RA-5.3 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001057 |
The organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: enumerating platforms, software flaws, and improper configurations; formatting checklists and test procedures; and measuring vulnerability impact. |
The organization conducting the inspection/assessment obtains and examines the software list or vulnerability scanning procedures to ensure the organization being inspected/assessed employs the DoD Enterprise scanning tool. |
The organization being inspected/assessed employs the DoD Enterprise scanning tool. |
Vulnerability Scanning |
RA-5 |
RA-5.6 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001058 |
The organization analyzes vulnerability scan reports and results from security control assessments. |
The organization conducting the inspection/assessment will interview organizational personnel with security control assessment and vulnerability scanning responsibilities. The purpose of the reviews and interviews is to validate the organization is conducting an analysis of the vulnerability scan reports and results from the security control assessments. |
The organization being inspected/assessed analyzes vulnerability scan reports and security control assessment results with the intent of identifying legitimate vulnerabilities and the relationship between vulnerabilities and security controls. |
Vulnerability Scanning |
RA-5 |
RA-5.7 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001059 |
The organization remediates legitimate vulnerabilities in organization-defined response times in accordance with an organizational assessment risk. |
The organization conducting the inspection/assessment obtains and examines audit records to validate the organization is taking action to remediate legitimate vulnerabilities within the required response times (IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs).
The organization conducting the inspection/assessment may conduct independent vulnerability scans to compare those scan results with audit records of remediation actions.
DoD has defined the response times as IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
The organization being inspected/assessed takes corrective actions as appropriate on legitimate vulnerabilities identified in RA-5, CCI 001058 IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs).
Audit records of actions must be maintained IAW applicable DoD, CYBERCOM, and/or component policies.
DoD has defined the response times as IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Vulnerability Scanning |
RA-5 |
RA-5.8 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001060 |
The organization defines response times for remediating legitimate vulnerabilities in accordance with an organization assessment of risk. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the response times as IAW an authoritative source (e.g. IAVM, CTOs, DTMs). |
DoD has defined the response times as IAW an authoritative source (e.g. IAVM, CTOs, DTMs). |
Vulnerability Scanning |
RA-5 |
RA-5.9 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001061 |
The organization shares information obtained from the vulnerability scanning process and security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed shares information obtained from the vulnerability scanning process and security control assessments with at a minimum, the ISSM and ISSO to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed documents and implements a process to share information obtained from the vulnerability scanning process and security control assessments with at a minimum, the ISSM and ISSO to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Vulnerability Scanning |
RA-5 |
RA-5.10 |
Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| CCI-001062 |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. |
The organization conducting the inspection/assessment will:
1. If the inspected organization is using the DoD provided enterprise scanning tool, compliance with this control is complete.
2. Validate the identified tool in use by the inspected organization is able to maintain current up to date information system vulnerability data. |
The organization being inspected/assessed will employ scanning tools that maintain currency with industry standard information system vulnerabilities to ensure that scanning activities are conducted with the most up to date list of known vulnerabilities to include USCYBERCOM issued IAVMs.
DoD has provided an enterprise scanning tool that fully meets this requirement. Organizations that choose not to use the enterprise scanning tool must identify which scanning tool they are using and ensure that it meets these requirements. |
Vulnerability Scanning | Update Tool Capability |
RA-5 (1) |
RA-5(1).1 |
The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible. Related controls: SI-3, SI-7. |
The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. |
| CCI-001063 |
The organization updates the information system vulnerabilities scanned on an organization-defined frequency, prior to a new scan, and/or when new vulnerabilities are identified and reported. |
The organization conducting the inspection/assessment obtains and examines the record of scans to ensure the latest most up to date scanning policies are present. |
The organization being inspected/assessed will update the list of information system vulnerabilities scanned for prior to running scans.
The organization must maintain a record of scans including the list of vulnerabilities scanned for.
DoD has defined the frequency as prior to running scans. |
Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified |
RA-5 (2) |
RA-5(2).1 |
Related controls: SI-3, SI-5. |
The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]. |
| CCI-001064 |
The organization defines a frequency for updating the information system vulnerabilities scanned. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as prior to running scans. |
DoD has defined the frequency as prior to running scans. |
Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified |
RA-5 (2) |
RA-5(2).2 |
Related controls: SI-3, SI-5. |
The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]. |
| CCI-001065 |
The organization employs vulnerability scanning procedures that can demonstrate the breadth of coverage (i.e., information system components scanned). |
|
|
|
|
|
|
|
| CCI-001066 |
The organization determines what information about the information system is discoverable by adversaries. |
The organization conducting the inspection/assessment will review results of validation of base control RA-5, if the inspected organization is compliant with the requirements of RA-5, they are compliant with this CCI. |
If the organization being inspected/assessed is conducting vulnerability scans IAW base control RA-5, they are compliant with this CCI. |
Vulnerability Scanning | Discoverable Information |
RA-5 (4) |
RA-5(4).1 |
Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries. Related control: AU-13. |
The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]. |
| CCI-001067 |
The information system implements privileged access authorization to organization-identified information system components for selected organization-defined vulnerability scanning activities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement privileged access authorization to all information systems and infrastructure components for selected vulnerability scanning activities defined in RA-5 (5), CCI 2906.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1067.
DoD has defined the information system components as all information systems and infrastructure components. |
The organization being inspected/assessed configures the information system to implement privileged access authorization to all information systems and infrastructure components for selected vulnerability scanning activities defined in RA-5 (5), CCI 2906.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1067.
DoD has defined the information system components as all information systems and infrastructure components. |
Vulnerability Scanning | Privileged Access |
RA-5 (5) |
RA-5(5).1 |
In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning. |
The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities]. |
| CCI-001068 |
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. |
The organization conducting the inspection/assessment validates the organization is employing automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. |
The organization being inspected/assessed must configure and implement automated mechanisms which provide the capability to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. |
Vulnerability Scanning | Automated Trend Analyses |
RA-5 (6) |
RA-5(6).1 |
Related controls: IR-4, IR-5, SI-4. |
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. |
| CCI-001069 |
The organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001070 |
The organization defines a frequency for employing automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials. |
|
|
|
|
|
|
|
| CCI-001071 |
The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. |
The organization conducting the inspection/assessment obtains and examines the audit trail to determine if the organization has documented any previously identified exploited vulnerabilities. |
The organization being inspected/assessed reviews audit logs and determines if the identified vulnerability has been previously exploited within the information system.
Any findings must be documented and acted upon IAW IR-1. |
Vulnerability Scanning | Review Historic Audit Logs |
RA-5 (8) |
RA-5(8).1 |
Related control: AU-6. |
The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. |
| CCI-001072 |
The organization employs an independent penetration agent or penetration team to conduct a vulnerability analysis on the information system. |
|
|
|
|
|
|
|
| CCI-001073 |
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system based on the vulnerability analysis to determine the exploitability of identified vulnerabilities. |
|
|
|
|
|
|
|
| CCI-001642 |
The organization defines the organizational document in which risk assessment results are documented (e.g., security plan, risk assessment report). |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the document as a risk assessment report. |
DoD has defined the document as a risk assessment report. |
Risk Assessment |
RA-3 |
RA-3.3 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001048 |
The organization conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction. |
The organization conducting the inspection/assessment obtains and examines the audit trail of assessments to ensure the organization being inspected/assessed conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction. |
The organization being inspected/assessed conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction.
The organization must maintain an audit trail
of assessments. |
Risk Assessment |
RA-3 |
RA-3.1 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001049 |
The organization documents risk assessment results in the organization-defined document. |
The organization conducting the inspection/assessment obtains and examines the risk assessment report to ensure the organization being inspected/assessed documents risk assessment results in the risk assessment report.
DoD has defined the document as a risk assessment report. |
The organization being inspected/assessed documents risk assessment results in the risk assessment report.
DoD has defined the document as a risk assessment report. |
Risk Assessment |
RA-3 |
RA-3.2 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001050 |
The organization reviews risk assessment results on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the record of reviews to ensure the organization being inspected/assessed reviews risk assessment results upon re-accreditation.
DoD has defined the frequency as upon re-accreditation.
|
The organization being inspected/assessed reviews risk assessment results upon re-accreditation.
The organization must maintain a record of reviews.
DoD has defined the frequency as upon re-accreditation. |
Risk Assessment |
RA-3 |
RA-3.4 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001051 |
The organization defines a frequency for reviewing risk assessment results. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as upon re-accreditation. |
DoD has defined the frequency as upon re-accreditation. |
Risk Assessment |
RA-3 |
RA-3.5 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001052 |
The organization updates the risk assessment on an organization-defined frequency or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
The organization conducting the inspection/assessment obtains and examines historical versions of the risk assessment as well as records of changes to the system to ensure the organization being inspected/assessed updates the risk assessment upon re-accreditation or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
DoD has defined the frequency as upon re-accreditation. |
The organization being inspected/asssessed updates the risk assessment upon re-accreditation or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
DoD has defined the frequency as upon re-accreditation. |
Risk Assessment |
RA-3 |
RA-3.8 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-001053 |
The organization defines a frequency for updating the risk assessment. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as upon re-accreditation. |
DoD has defined the frequency as upon re-accreditation. |
Risk Assessment |
RA-3 |
RA-3.9 |
Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems.
Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. |
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| CCI-000608 |
The organization includes a determination of information security requirements for the information system in mission process planning. |
|
|
|
|
|
|
|
| CCI-000609 |
The organization includes a determination of information security requirements for the information system in business process planning. |
|
|
|
|
|
|
|
| CCI-000610 |
The organization determines the resources required to protect the information system or information system service as part of its capital planning and investment control process. |
The organization conducting the inspection/assessment obtains and examines the planning, programming, and budget documentation to ensure the organization being inspected/assessed has determined the resources required for cybersecurity requirements to protect the information system or information system service. |
The organization being inspected/assessed determines the resources (funding, staffing, etc.) required for the cybersecurity requirements to protect the information system or information system service as part of its planning, programming, and budget process (PPBE). |
Allocation Of Resources |
SA-2 |
SA-2.2 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-000611 |
The organization documents the resources required to protect the information system or information system service as part of its capital planning and investment control process. |
The organization conducting the inspection/assessment obtains and examines the planning, programming, and budget documentation to ensure the organization being inspected/assessed has documented the resources required for cybersecurity requirements to protect the information system or information system service. |
The organization being inspected/assessed documents the resources (funding, staffing, etc.) required for the cybersecurity requirements to protect the information system or information system service as part of its planning, programming, and budget process (PPBE). |
Allocation Of Resources |
SA-2 |
SA-2.3 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-000612 |
The organization allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process. |
The organization conducting the inspection/assessment obtains and examines the planning, programming, and budget documentation to ensure the organization being inspected/assessed has allocated the resources required for cybersecurity requirements to protect the information system or information system service. |
The organization being inspected/assessed allocates the resources (funding, staffing, etc.) required for the cybersecurity requirements to protect the information system or information system service as part of its planning, programming, and budget process (PPBE). |
Allocation Of Resources |
SA-2 |
SA-2.4 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-000613 |
The organization establishes a discrete line item for information security in organizational programming documentation. |
The organization conducting the inspection/assessment obtains and examines the planning, programming, and budget documentation to ensure the organization being inspected/assessed has identified and established an individual line item for cybersecurity requirements to protect the information system. |
The organization being inspected/assessed identifies and establishes an individual line item for cybersecurity requirements to protect the information system as part of the planning, programming, and budget process (PPBE). |
Allocation Of Resources |
SA-2 |
SA-2.5 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-000614 |
The organization establishes a discrete line item for information security in organizational budgeting documentation. |
The organization conducting the inspection/assessment obtains and examines the planning, programming, and budget documentation to ensure the organization being inspected/assessed has identified and established an individual line item for cybersecurity requirements to protect the information system. |
The organization being inspected/assessed identifies and establishes an individual line item for cybersecurity requirements to protect the information system as part of the planning, programming, and budget process (PPBE). |
Allocation Of Resources |
SA-2 |
SA-2.6 |
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. |
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation |
| CCI-001647 |
The organization requires the use of a FIPS-validated, cryptographic module for a technology product that relies on cryptographic functionality to enforce its security policy when no U.S. Government Protection Profile exists for such a specific technology type. |
|
|
|
|
|
|
|
| CCI-000619 |
The organization includes security functional requirements/specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
|
|
|
|
|
|
|
| CCI-000620 |
The organization includes security-related documentation requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
|
|
|
|
|
|
|
| CCI-000621 |
The organization includes developmental and evaluation-related assurance requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
|
|
|
|
|
|
|
| CCI-000623 |
The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. |
DoDI 8510.01 system categorization meets the DoD requirement for providing a description of the functional properties of the security controls to be employed.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
DoDI 8510.01 system categorization meets the DoD requirement for providing a description of the functional properties of the security controls to be employed.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01. |
Acquisition Process | Functional Properties Of Security Controls |
SA-4 (1) |
SA-4(1).1 |
Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls. Related control: SA-5. |
The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. |
| CCI-000624 |
The organization requires in acquisition documents that vendors/contractors provide information describing the design details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls. |
|
|
|
|
|
|
|
| CCI-000625 |
The organization requires in acquisition documents that vendors/contractors provide information describing the implementation details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls. |
|
|
|
|
|
|
|
| CCI-000626 |
The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employs state-of-the-practice software and security engineering methods. |
|
|
|
|
|
|
|
| CCI-000627 |
The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employs quality control processes. |
|
|
|
|
|
|
|
| CCI-000628 |
The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development processes employ validation techniques. |
|
|
|
|
|
|
|
| CCI-000629 |
The organization ensures each information system component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment. |
|
|
|
|
|
|
|
| CCI-000630 |
The organization requires in acquisition documents, that information system components are delivered in a secure, documented configuration, and that the secure configuration is the default configuration for any software reinstalls or upgrades. |
|
|
|
|
|
|
|
| CCI-000631 |
The organization employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted. |
The organization conducting the inspection/assessment examines and verifies identified encryption technologies in use by the organization being inspected/assessed are NSA-approved. |
The organization being inspected/assessed must identify and use NSA-approved encryption technologies to protect classified information when the networks or transmission medium used to transmit the information are at a lower classification level than the information being transmitted. |
Acquisition Process | Use Of Information Assurance Products |
SA-4 (6) |
SA-4(6).1 |
COTS IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management. Related controls: SC-8, SC-12, SC-13. |
The organization:
(a) Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
(b) Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. |
| CCI-000632 |
The organization employs only commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted. |
|
|
|
|
|
|
|
| CCI-000633 |
The organization ensures that government off-the-shelf (GOTS) or commercial-off-the-shelf(COTS) information assurance (IA) and IA-enabled information technology products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures. |
The organization conducting the inspection/assessment examines and verifies identified encryption technologies in use by the organization being inspected/assessed are NSA-approved. |
The organization being inspected/assessed must identify and use NSA-approved encryption technologies to protect classified information when the networks or transmission medium used to transmit the information are at a lower classification level than the information being transmitted. |
Acquisition Process | Use Of Information Assurance Products |
SA-4 (6) |
SA-4(6).2 |
COTS IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management. Related controls: SC-8, SC-12, SC-13. |
The organization:
(a) Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
(b) Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. |
| CCI-000634 |
The organization limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance Partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists. |
The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed, when using commercially provided IA and IA-enabled IT products uses only products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists. |
The organization being inspected/assessed, when using commercially provided IA and IA-enabled IT products uses only products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists. |
Acquisition Process | NIAP-Approved Protection Profiles |
SA-4 (7) |
SA-4(7).1 |
Related controls: SC-12, SC-13. |
The organization:
(a) Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and
(b) Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated. |
| CCI-000635 |
The organization requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated. |
The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed, when using commercially provided IA or IA enabled IT products for which there is no NIAP-approved protection profile, relies on FIPS-validated cryptographic modules. |
The organization being inspected/assessed, when using commercially provided IA or IA enabled IT products for which there is no NIAP-approved protection profile, relies on FIPS-validated cryptographic modules. |
Acquisition Process | NIAP-Approved Protection Profiles |
SA-4 (7) |
SA-4(7).2 |
Related controls: SC-12, SC-13. |
The organization:
(a) Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and
(b) Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated. |
| CCI-001648 |
The organization makes available to authorized personnel the source code for the information system to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000636 |
The organization obtains administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. |
|
|
|
|
|
|
|
| CCI-000637 |
The organization protects, as required, administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. |
|
|
|
|
|
|
|
| CCI-000638 |
The organization makes available to authorized personnel administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions. |
|
|
|
|
|
|
|
| CCI-000639 |
The organization obtains user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system. |
|
|
|
|
|
|
|
| CCI-000640 |
The organization protects, as required, user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system. |
|
|
|
|
|
|
|
| CCI-000641 |
The organization makes available to authorized personnel user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system. |
|
|
|
|
|
|
|
| CCI-000642 |
The organization documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent. |
The organization conducting the inspection/assessment obtains and examines the documented attempts to ensure the organization being inspected/assessed documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent. |
The organization being inspected/assessed documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent.
|
Information System Documentation |
SA-5 |
SA-5.11 |
This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. |
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles]. |
| CCI-000643 |
The organization obtains vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000644 |
The organization protects, as required, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system. |
|
|
|
|
|
|
|
| CCI-000645 |
The organization makes available to authorized personnel vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000646 |
The organization obtains vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000647 |
The organization obtains vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000648 |
The organization protects, as required, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system. |
|
|
|
|
|
|
|
| CCI-000650 |
The organization obtains vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000651 |
The organization protects, as required, vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system. |
|
|
|
|
|
|
|
| CCI-000653 |
The organization obtains the source code for the information system to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-000654 |
The organization protects, as required, the source code for the information system to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-001690 |
The organization protects, as required, vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system. |
|
|
|
|
|
|
|
| CCI-001691 |
The organization makes available to authorized personnel vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-001692 |
The organization makes available to authorized personnel vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing. |
|
|
|
|
|
|
|
| CCI-001649 |
The organization identifies and documents (as appropriate) explicit rules to be enforced when governing the installation of software by users. |
|
|
|
|
|
|
|
| CCI-000663 |
The organization (or information system) enforces explicit rules governing the installation of software by users. |
|
|
|
|
|
|
|
| CCI-001650 |
The organization requires the information system developers to manage and control changes to the information system during development. |
|
|
|
|
|
|
|
| CCI-001651 |
The organization requires the information system integrators to manage and control changes to the information system during development. |
|
|
|
|
|
|
|
| CCI-001652 |
The organization requires the information system developers to manage and control changes to the information system during implementation. |
|
|
|
|
|
|
|
| CCI-001653 |
The organization requires the information system integrators to manage and control changes to the information system during implementation. |
|
|
|
|
|
|
|
| CCI-001654 |
The organization requires the information system developers to manage and control changes to the information system during modification. |
|
|
|
|
|
|
|
| CCI-001655 |
The organization requires the information system integrators to manage and control changes to the information system during modification. |
|
|
|
|
|
|
|
| CCI-000682 |
The organization requires information system developers to perform configuration management during information system design. |
|
|
|
|
|
|
|
| CCI-000683 |
The organization requires information system developers to perform configuration management during information system development. |
|
|
|
|
|
|
|
| CCI-000684 |
The organization requires information system developers to perform configuration management during information system implementation. |
|
|
|
|
|
|
|
| CCI-000685 |
The organization requires information system developers to perform configuration management during information system operation. |
|
|
|
|
|
|
|
| CCI-000686 |
The organization requires information system integrators to perform configuration management during information system design. |
|
|
|
|
|
|
|
| CCI-000687 |
The organization requires information system integrators to perform configuration management during information system development. |
|
|
|
|
|
|
|
| CCI-000688 |
The organization requires information system integrators to perform configuration management during information system implementation. |
|
|
|
|
|
|
|
| CCI-000689 |
The organization requires information system integrators to perform configuration management during information system operation. |
|
|
|
|
|
|
|
| CCI-000690 |
The organization requires information system developers to manage and control changes to the information system during design. |
|
|
|
|
|
|
|
| CCI-000691 |
The organization requires information system integrators to manage and control changes to the information system during design. |
|
|
|
|
|
|
|
| CCI-000692 |
The organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines contracts/agreements between the organization and the IS developer to confirm the organization has established in its acquisition contracts/agreements the requirement that the IS developer implement only organization-approved changes to the system, component, or service throughout its life cycle. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service implement only organization-approved changes to the system, component, or service throughout its life cycle. |
Developer Configuration Management |
SA-10 |
SA-10.6 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-000693 |
The organization requires information system integrators to implement only organization-approved changes. |
|
|
|
|
|
|
|
| CCI-000694 |
The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service document approved changes to the system, component, or service. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service document approved changes to the system, component, or service. |
Developer Configuration Management |
SA-10 |
SA-10.7 |
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
| CCI-000695 |
The organization requires information system integrators to document approved changes to the information system. |
|
|
|
|
|
|
|
| CCI-000696 |
The organization requires that information system developers track security flaws and flaw resolution. |
|
|
|
|
|
|
|
| CCI-000697 |
The organization requires information system integrators to track security flaws and flaw resolution. |
|
|
|
|
|
|
|
| CCI-000698 |
The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service enable integrity verification of software and firmware components. |
The organization being inspected/assessed requires within contracts/agreements that the developer of the information system, system component, or information system service enable integrity verification of software and firmware components.
The organization being inspected/assessed requires the developer to enable integrity verification of software and firmware that may include:
1. Stipulating and monitoring logical delivery of products and services, requiring downloading from approved, verification-enhanced sites;
2. Encrypting elements (software, software patches, etc.) and supply chain process data in transit (motion) and at rest throughout delivery;
3. Requiring suppliers to provide their elements “secure by default”, so that additional configuration is required to make the element insecure;
4. Implementing software designs using programming languages and tools that reduce the likelihood of weaknesses;
5. Implementing cryptographic hash verification; and
6. Establishing performance and sub-element baseline for the system and system elements to help detect unauthorized tampering/modification during repairs/refurbishing.
|
Developer Configuration Management | Software / Firmware Integrity Verification |
SA-10 (1) |
SA-10(1).1 |
This control enhancement allows organizations to detect unauthorized changes to software and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. Integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components. Related control: SI-7. |
The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. |
| CCI-000699 |
The organization requires information system integrators to provide an integrity check of software to facilitate organizational verification of software integrity after delivery. |
|
|
|
|
|
|
|
| CCI-000700 |
The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. |
The organization conducting the inspection/assessment obtains and examines the Configuration Control Board (CCB) charter to determine if the organization, in the absence of a dedicated software developer configuration management team, has established an alternate configuration management process that is staffed with key organizational personnel. |
The organization being inspected/assessed, in the absence of a dedicated software developer configuration management team, establishes an alternate configuration management process that is staffed with appropriate key organizational personnel. |
Developer Configuration Management | Alternative Configuration Management Processes |
SA-10 (2) |
SA-10(2).1 |
Alternate configuration management processes may be required, for example, when organizations use commercial off-the-shelf (COTS) information technology products. Alternate configuration management processes include organizational personnel that: (i) are responsible for reviewing/approving proposed changes to information systems, system components, and information system services; and (ii) conduct security impact analyses prior to the implementation of any changes to systems, components, or services (e.g., a configuration control board that considers security impacts of changes during development and includes representatives of both the organization and the developer, when applicable). |
The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. |
| CCI-000701 |
The organization provides an alternative configuration management process with organizational personnel in the absence of a dedicated integrator configuration management team. |
|
|
|
|
|
|
|
| CCI-001656 |
The organization defines the security functions of the information system to be isolated from nonsecurity functions. |
|
|
|
|
|
|
|
| CCI-001084 |
The information system isolates security functions from nonsecurity functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to isolate security functions from nonsecurity functions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1084. |
The organization being inspected/assessed configures the information system to isolate security functions from nonsecurity functions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1084. |
Security Function Isolation |
SC-3 |
SC-3.1 |
The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. Related controls: AC-3, AC-6, SA-4, SA-5, SA-8, SA-13, SC-2, SC-7, SC-39. |
The information system isolates security functions from nonsecurity functions. |
| CCI-001085 |
The information system utilizes underlying hardware separation mechanisms to implement security function isolation. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to utilize underlying hardware separation mechanisms to implement security function isolation.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1085. |
The organization being inspected/assessed configures the information system to utilize underlying hardware separation mechanisms to implement security function isolation.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1085. |
Security Function Isolation | Hardware Separation |
SC-3 (1) |
SC-3(1).1 |
Underlying hardware separation mechanisms include, for example, hardware ring architectures, commonly implemented within microprocessors, and hardware-enforced address segmentation used to support logically distinct storage objects with separate attributes (i.e., readable, writeable). |
The information system utilizes underlying hardware separation mechanisms to implement security function isolation. |
| CCI-001086 |
The information system isolates security functions enforcing access and information flow control from both nonsecurity functions and from other security functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to isolate security functions enforcing access and information flow control from both nonsecurity functions and from other security functions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1086. |
The organization being inspected/assessed configures the information system to isolate security functions enforcing access and information flow control from both nonsecurity functions and from other security functions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1086. |
Security Function Isolation | Access / Flow Control Functions |
SC-3 (2) |
SC-3(2).1 |
Security function isolation occurs as a result of implementation; the functions can still be scanned and monitored. Security functions that are potentially isolated from access and flow control enforcement functions include, for example, auditing, intrusion detection, and anti-virus functions. |
The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions. |
| CCI-001087 |
The organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions. |
|
|
|
|
|
|
|
| CCI-001088 |
The organization implements security functions as largely independent modules that avoid unnecessary interactions between modules. |
|
|
|
|
|
|
|
| CCI-001089 |
The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1089. |
The organization being inspected/assessed configures the information system to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1089. |
Security Function Isolation | Layered Structures |
SC-3 (5) |
SC-3(5).1 |
The implementation of layered structures with minimized interactions among security functions and non-looping layers (i.e., lower-layer functions do not depend on higher-layer functions) further enables the isolation of security functions and management of complexity. |
The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. |
| CCI-001657 |
The organization defines the external boundary of the information system. |
|
|
|
|
|
|
|
| CCI-001658 |
The organization defines key internal boundaries of the information system. |
|
|
|
|
|
|
|
| CCI-001659 |
The organization defines the mediation necessary for public access to the organization's internal networks. |
|
|
|
|
|
|
|
| CCI-001660 |
The organization defines the measures to protect against unauthorized physical connections across boundary protections implemented at organization-defined managed interfaces. |
|
|
|
|
|
|
|
| CCI-001097 |
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of monitoring activities to ensure the organization being inspected/assessed monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
The organization being inspected/assessed documents and implements processes to monitor and control communications at the external boundary of the system and at key internal boundaries within the system.
The organization must maintain an audit trail of monitoring activities. |
Boundary Protection |
SC-7 |
SC-7.1 |
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
| CCI-001098 |
The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying component connectivity to ensure the organization being inspected/assessed connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
The organization being inspected/assessed designs the information system to enforce requirements that components connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
Boundary Protection |
SC-7 |
SC-7.3 |
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
| CCI-001099 |
The organization physically allocates publicly accessible information system components to separate subnetworks with separate physical network interfaces. |
|
|
|
|
|
|
|
| CCI-001100 |
The information system prevents public access into the organization's internal networks except as appropriately mediated by managed interfaces employing boundary protection devices. |
|
|
|
|
|
|
|
| CCI-001101 |
The organization limits the number of external network connections to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented access control mechanisms to ensure that the organization being inspected/assessed limits the number of external network connections to the information system. |
The organization being inspected/assessed documents and implements information system access control mechanisms to limit the number of external connections to the information system. |
Boundary Protection | Access Points |
SC-7 (3) |
SC-7(3).1 |
Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. |
The organization limits the number of external network connections to the information system. |
| CCI-001102 |
The organization implements a managed interface for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying system interfaces to ensure the organization being inspected/assessed implements a managed interface for each external telecommunication service. |
The organization being inspected/assessed designs the information system to have a managed interface for each telecommunication service. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).1 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001103 |
The organization establishes a traffic flow policy for each managed interface for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines the documented traffic flow policy to ensure the organization being inspected/assessed establishes a traffic flow policy for each managed interface for each external telecommunication service. |
The organization being inspected/assessed defines and documents a traffic flow policy for each managed interface for each external telecommunication service. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).2 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001104 |
The organization employs security controls as needed to protect the confidentiality and integrity of the information being transmitted. |
|
|
|
|
|
|
|
| CCI-001105 |
The organization documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines the documented exceptions to the traffic flow policy to ensure the organization being inspected/assessed identifies each exception with supporting mission/business need and duration of that need for each external telecommunication service. |
The organization being inspected/assessed documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need for each external telecommunication service. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).4 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001106 |
The organization reviews exceptions to the traffic flow policy on an organization-defined frequency for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed reviews exceptions to the traffic flow policy every 180 days for each external telecommunication service.
DoD has defined the frequency as every 180 days. |
The organization being inspected/assessed implements a process to review exceptions to the traffic flow policy every 180 days for each external telecommunication service.
The organization must maintain an audit trail of reviews.
DoD has defined the frequency as every 180 days. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).5 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001107 |
The organization defines a frequency for the review of exceptions to the traffic flow policy for each external telecommunication service. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 180 days. |
DoD has defined the frequency as every 180 days. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).6 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001108 |
The organization removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need for each external telecommunication service. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as a sampling of existing exceptions to ensure the organization being inspected/assessed removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need for each external telecommunication service. |
The organization being inspected/assessed documents and implements a process to remove traffic flow policy exceptions that are no longer supported by an explicit mission/business need for each external telecommunication service. |
Boundary Protection | External Telecommunications Services |
SC-7 (4) |
SC-7(4).7 |
Related control: SC-8. |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| CCI-001109 |
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to deny network communications traffic at managed interfaces by default and allows network communications traffic by exception (i.e., deny all, permit by exception).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1109. |
The organization being inspected/assessed configures the information system to deny network communications traffic at managed interfaces by default and allows network communications traffic by exception (i.e., deny all, permit by exception).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1109. |
Boundary Protection | Deny By Default / Allow By Exception |
SC-7 (5) |
SC-7(5).1 |
This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. |
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). |
| CCI-001110 |
The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms. |
|
|
|
|
|
|
|
| CCI-001111 |
The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks. |
|
|
|
|
|
|
|
| CCI-001112 |
The information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to route protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP) to any network external to the authorization boundary through authenticated proxy servers at managed interfaces.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1112.
DoD has defined the internal communications traffic as protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP).
DoD has defined the external networks as any network external to the authorization boundary. |
The organization being inspected/assessed configures the information system to route protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP) to any network external to the authorization boundary through authenticated proxy servers at managed interfaces.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1112.
DoD has defined the internal communications traffic as protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP).
DoD has defined the external networks as any network external to the authorization boundary. |
Boundary Protection | Route Traffic To Authenticated Proxy Servers |
SC-7 (8) |
SC-7(8).1 |
External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Related controls: AC-3, AU-2. |
The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. |
| CCI-001113 |
The organization defines the internal communications traffic to be routed to external networks. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the internal communications traffic as protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP). |
DoD has defined the internal communications traffic as protocols as designated by PPSM guidance (e.g. HTTPS, HTTP, FTP, SNMP). |
Boundary Protection | Route Traffic To Authenticated Proxy Servers |
SC-7 (8) |
SC-7(8).2 |
External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Related controls: AC-3, AU-2. |
The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. |
| CCI-001114 |
The organization defines the external networks to which organization-defined internal communications traffic should be routed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external networks as any network external to the authorization boundary. |
DoD has defined the external networks as any network external to the authorization boundary. |
Boundary Protection | Route Traffic To Authenticated Proxy Servers |
SC-7 (8) |
SC-7(8).3 |
External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Related controls: AC-3, AU-2. |
The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. |
| CCI-001115 |
The information system, at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external information systems. |
|
|
|
|
|
|
|
| CCI-001116 |
The organization prevents the unauthorized exfiltration of information across managed interfaces. |
The organization conducting the inspection/assessment obtains and examines the documented mechanisms to ensure the organization being inspected/assessed prevents the unauthorized exfiltration of information across managed interfaces. |
The organization being inspected/assessed documents and implements mechanisms to prevent the unauthorized exfiltration of information across managed interfaces. |
Boundary Protection | Prevent Unauthorized Exfiltration |
SC-7 (10) |
SC-7(10).1 |
Safeguards implemented by organizations to prevent unauthorized exfiltration of information from information systems include, for example: (i) strict adherence to protocol formats; (ii) monitoring for beaconing from information systems; (iii) monitoring for steganography; (iv) disconnecting external network interfaces except when explicitly needed; (v) disassembling and reassembling packet headers; and (vi) employing traffic profile analysis to detect deviations from the volume/types of traffic expected within organizations or call backs to command and control centers. Devices enforcing strict adherence to protocol formats include, for example, deep packet inspection firewalls and XML gateways. These devices verify adherence to protocol formats and specification at the application layer and serve to identify vulnerabilities that cannot be detected by devices operating at the network or transport layers. This control enhancement is closely associated with cross-domain solutions and system guards enforcing information flow requirements. Related control: SI-3. |
The organization prevents the unauthorized exfiltration of information across managed interfaces. |
| CCI-001117 |
The information system checks incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination. |
|
|
|
|
|
|
|
| CCI-001118 |
The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices. |
|
|
|
|
|
|
|
| CCI-001119 |
The organization isolates organization-defined information security tools, mechanisms, and support components from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying component partitioning to ensure the organization being inspected/assessed isolates key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
DoD has defined the key information security tools, mechanisms, and support components as key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. |
The organization being inspected/assessed designs the information system to isolate key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
DoD has defined the key information security tools, mechanisms, and support components as key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.
|
Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components |
SC-7 (13) |
SC-7(13).1 |
Physically separate subnetworks with managed interfaces are useful, for example, in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques of organizations. Related controls: SA-8, SC-2, SC-3. |
The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system. |
| CCI-001120 |
The organization defines key information security tools, mechanisms, and support components to be isolated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the key information security tools, mechanisms, and support components as key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. |
DoD has defined the key information security tools, mechanisms, and support components as key information security tools, mechanisms, and support components such as, but not limited to PKI, Patching infrastructure, HBSS, CND Tools, Special Purpose Gateway, vulnerability tracking systems, honeypots, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc. |
Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components |
SC-7 (13) |
SC-7(13).2 |
Physically separate subnetworks with managed interfaces are useful, for example, in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques of organizations. Related controls: SA-8, SC-2, SC-3. |
The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system. |
| CCI-001121 |
The organization protects against unauthorized physical connections at organization-defined managed interfaces. |
The organization conducting the inspection/assessment obtains and examines the documented mechanisms to ensure the organization being inspected/assessed protects against unauthorized physical connections at internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways.
DoD has defined the managed interfaces as internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways. |
The organization being inspected/assessed documents and implements mechanisms to protect against unauthorized physical connections at internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways.
DoD has defined the managed interfaces as internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways. |
Boundary Protection | Protects Against Unauthorized Physical Connection |
SC-7 (14) |
SC-7(14).1 |
Information systems operating at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within organizational facilities. In practice, it is possible that these separate information systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved, for example, by employing clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls enforcing limited authorized access to these items. Related controls: PE-4, PE-19. |
The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. |
| CCI-001122 |
The organization defines the managed interfaces where boundary protections against unauthorized physical connections are to be implemented. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the managed interfaces as internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways. |
DoD has defined the managed interfaces as internet access points, enclave LAN to WAN, cross domain solutions, and any DoD Approved Alternate Gateways. |
Boundary Protection | Protects Against Unauthorized Physical Connection |
SC-7 (14) |
SC-7(14).2 |
Information systems operating at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within organizational facilities. In practice, it is possible that these separate information systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved, for example, by employing clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls enforcing limited authorized access to these items. Related controls: PE-4, PE-19. |
The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. |
| CCI-001123 |
The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying network data flow to ensure the organization being inspected/assessed routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
The organization being inspected/assessed designs the information system to route all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
Boundary Protection | Route Privileged Network Accesses |
SC-7 (15) |
SC-7(15).1 |
Related controls: AC-2, AC-3, AU-2, SI-4. |
The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
| CCI-001124 |
The information system prevents discovery of specific system components composing a managed interface. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent discovery of specific system components composing a managed interface.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1124. |
The organization being inspected/assessed configures the information system to prevent discovery of specific system components composing a managed interface.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1124. |
Boundary Protection | Prevent Discovery Of Components / Devices |
SC-7 (16) |
SC-7(16).1 |
This control enhancement protects network addresses of information system components that are part of managed interfaces from discovery through common tools and techniques used to identify devices on networks. Network addresses are not available for discovery (e.g., network address not published or entered in domain name systems), requiring prior knowledge for access. Another obfuscation technique is to periodically change network addresses. |
The information system prevents discovery of specific system components (or devices) composing a managed interface. |
| CCI-001125 |
The information system enforces adherence to protocol format. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce adherence to protocol format.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1125. |
The organization being inspected/assessed configures the information system to enforce adherence to protocol format.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1125. |
Boundary Protection | Automated Enforcement Of Protocol Formats |
SC-7 (17) |
SC-7(17).1 |
Information system components that enforce protocol formats include, for example, deep packet inspection firewalls and XML gateways. Such system components verify adherence to protocol formats/specifications (e.g., IEEE) at the application layer and identify significant vulnerabilities that cannot be detected by devices operating at the network or transport layers. Related control: SC-4. |
The information system enforces adherence to protocol formats. |
| CCI-001126 |
The information system fails securely in the event of an operational failure of a boundary protection device. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to fail securely in the event of an operational failure of a boundary protection device.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1126. |
The organization being inspected/assessed configures the information system to fail securely in the event of an operational failure of a boundary protection device.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1126. |
Boundary Protection | Fail Secure |
SC-7 (18) |
SC-7(18).1 |
Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases. Related controls: CP-2, SC-24. |
The information system fails securely in the event of an operational failure of a boundary protection device. |
| CCI-001661 |
The organization defines the security functions, to minimally include information system authentication and re-authentication, within the information system to be included in a trusted communications path. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security functions as providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling). |
DoD has defined the security functions as providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling). |
Trusted Path |
SC-11 |
SC-11.2 |
Trusted paths are mechanisms by which users (through input devices) can communicate directly with security functions of information systems with the requisite assurance to support information security policies. The mechanisms can be activated only by users or the security functions of organizational information systems. User responses via trusted paths are protected from modifications by or disclosure to untrusted applications. Organizations employ trusted paths for high-assurance connections between security functions of information systems and users (e.g., during system logons). Enforcement of trusted communications paths is typically provided via an implementation that meets the reference monitor concept. Related controls: AC-16, AC-25. |
The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication]. |
| CCI-001135 |
The information system establishes a trusted communications path between the user and organization-defined security functions within the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to establish a trusted communications path between the user and providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling) within the information system.
Additionally, the organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying data flow to ensure the organization being inspected/assessed establishes a trusted communications path between the user and providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling) within the information system.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1135.
DoD has defined the security functions as providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling). |
The organization being inspected/assessed designs and configures the information system to establish a trusted communications path between the user and providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling) within the information system.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1135.
DoD has defined the security functions as providers of authentication, reauthentication, and all privileged commands (administration, monitoring, and controlling). |
Trusted Path |
SC-11 |
SC-11.1 |
Trusted paths are mechanisms by which users (through input devices) can communicate directly with security functions of information systems with the requisite assurance to support information security policies. The mechanisms can be activated only by users or the security functions of organizational information systems. User responses via trusted paths are protected from modifications by or disclosure to untrusted applications. Organizations employ trusted paths for high-assurance connections between security functions of information systems and users (e.g., during system logons). Enforcement of trusted communications paths is typically provided via an implementation that meets the reference monitor concept. Related controls: AC-16, AC-25. |
The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication]. |
| CCI-001136 |
The organization defines security functions include information system authentication and reauthentication. |
|
|
|
|
|
|
|
| CCI-001662 |
The information system takes organization-defined corrective action when organization-defined unacceptable mobile code is identified. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to take corrective actions defined in SC-18 (1), CCI 2457 when unacceptable mobile code defined in SC-18 (1), CCI 2458 is identified.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1662. |
The organization being inspected/assessed configures the information system to take corrective actions defined in SC-18 (1), CCI 2457 when unacceptable mobile code defined in SC-18 (1), CCI 2458 is identified.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1662. |
Mobile Code | Identify Unacceptable Code / Take Corrective Actions |
SC-18 (1) |
SC-18(1).2 |
Corrective actions when unacceptable mobile code is detected include, for example, blocking, quarantine, or alerting administrators. Blocking includes, for example, preventing transmission of word processing files with embedded macros when such macros have been defined to be unacceptable mobile code. |
The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions]. |
| CCI-001162 |
The organization establishes implementation guidance for acceptable mobile code and mobile code technologies. |
The Protection Profile for Web Browsers and Application SRG
meet the DoD requirement to establish implementation guidance for acceptable mobile code and mobile code technologies.
DoD Components are automatically compliant with this CCI because they are covered by the Protection Profile for Web Browsers and Application SRG. |
The Protection Profile for Web Browsers and Application SRG
meet the DoD requirement to establish implementation guidance for acceptable mobile code and mobile code technologies.
DoD Components are automatically compliant with this CCI because they are covered by the Protection Profile for Web Browsers and Application SRG. |
Mobile Code |
SC-18 |
SC-18.3 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001163 |
The organization authorizes the use of mobile code within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of mobile code which is authorized for use within the information system and examines the information system to ensure that all used mobile code is authorized. |
The organization being inspected/assessed documents mobile code which is authorized for use within the information system. |
Mobile Code |
SC-18 |
SC-18.4 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001164 |
The organization monitors the use of mobile code within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as any artifacts applicable to monitoring of mobile code to ensure the organization being inspected/assessed monitors the use of mobile code within the information system. |
The organization being inspected/assessed documents and implements a process to monitor the use of mobile code within the information system. |
Mobile Code |
SC-18 |
SC-18.5 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001165 |
The organization controls the use of mobile code within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process and examines the information system to ensure the organization being inspected/assessed controls the use of mobile code within the information system. |
The organization being inspected/assessed documents and implements a process to control the use of mobile code within the information system. |
Mobile Code |
SC-18 |
SC-18.6 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001166 |
The information system identifies organization-defined unacceptable mobile code. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to identify unacceptable mobile code defined in SC-18 (1), CCI 2458.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1166. |
The organization being inspected/assessed configures the information system to identify unacceptable mobile code defined in SC-18 (1), CCI 2458.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1166. |
Mobile Code | Identify Unacceptable Code / Take Corrective Actions |
SC-18 (1) |
SC-18(1).1 |
Corrective actions when unacceptable mobile code is detected include, for example, blocking, quarantine, or alerting administrators. Blocking includes, for example, preventing transmission of word processing files with embedded macros when such macros have been defined to be unacceptable mobile code. |
The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions]. |
| CCI-001167 |
The organization ensures the development of mobile code to be deployed in information systems meets organization-defined mobile code requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed develops mobile code IAW the requirements defined in CCI 1168. |
The organization being inspected/assessed documents and implements a process to develop mobile code IAW the requirements defined in CCI 1168. |
Mobile Code | Acquisition / Development / Use |
SC-18 (2) |
SC-18(2).1 |
|
The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]. |
| CCI-001168 |
The organization defines requirements for the acquisition, development, and use of mobile code. |
The organization conducting the inspection/assessment obtains and examines the documented requirements to ensure the organization being inspected/assessed defines requirements for the acquisition, development, and use of mobile code.
DoD has determined the requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents requirements for the acquisition, development, and use of mobile code. The requirements must result in the acquisition and development of mobile code which complies with the Protection Profile for Web Browsers and Application SRG.
DoD has determined the requirements are not appropriate to define at the Enterprise level.
|
Mobile Code | Acquisition / Development / Use |
SC-18 (2) |
SC-18(2).2 |
|
The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]. |
| CCI-001169 |
The information system prevents the download of organization-defined unacceptable mobile code. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent the download of unacceptable mobile code defined in CCI 2459.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1169.
|
The organization being inspected/assessed configures the information system to prevent the download of unacceptable mobile code defined in CCI 2459.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1169.
|
Mobile Code | Prevent Downloading / Execution |
SC-18 (3) |
SC-18(3).1 |
|
The information system prevents the download and execution of [Assignment: organization defined unacceptable mobile code]. |
| CCI-001170 |
The information system prevents the automatic execution of mobile code in organization-defined software applications. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent the automatic execution of unacceptable mobile code in software applications defined in CCI 1171.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1170. |
The organization being inspected/assessed configures the information system to prevent the automatic execution of unacceptable mobile code in software applications defined in CCI 1171.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1170.
|
Mobile Code | Prevent Automatic Execution |
SC-18 (4) |
SC-18(4).1 |
Actions enforced before executing mobile code, include, for example, prompting users prior to opening electronic mail attachments. Preventing automatic execution of mobile code includes, for example, disabling auto execute features on information system components employing portable storage devices such as Compact Disks (CDs), Digital Video Disks (DVDs), and Universal Serial Bus (USB) devices. |
The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code. |
| CCI-001171 |
The organization defines software applications in which automatic mobile code execution is to be prohibited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the software applications in which automatic mobile code execution is to be prohibited as the software applications defined in the Protection Profile for Web Browsers and Application SRG.
|
DoD has defined the software applications in which automatic mobile code execution is to be prohibited as the software applications defined in the Protection Profile for Web Browsers and Application SRG.
|
Mobile Code | Prevent Automatic Execution |
SC-18 (4) |
SC-18(4).2 |
Actions enforced before executing mobile code, include, for example, prompting users prior to opening electronic mail attachments. Preventing automatic execution of mobile code includes, for example, disabling auto execute features on information system components employing portable storage devices such as Compact Disks (CDs), Digital Video Disks (DVDs), and Universal Serial Bus (USB) devices. |
The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code. |
| CCI-001172 |
The organization defines actions to be enforced by the information system before executing mobile code. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the actions as the user be prompted. |
DoD has defined the actions as the user be prompted. |
Mobile Code | Prevent Automatic Execution |
SC-18 (4) |
SC-18(4).3 |
Actions enforced before executing mobile code, include, for example, prompting users prior to opening electronic mail attachments. Preventing automatic execution of mobile code includes, for example, disabling auto execute features on information system components employing portable storage devices such as Compact Disks (CDs), Digital Video Disks (DVDs), and Universal Serial Bus (USB) devices. |
The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code. |
| CCI-001160 |
The organization defines acceptable and unacceptable mobile code and mobile code technologies. |
The organization conducting the inspection/assessmenet obtains and examines the documented acceptable and unacceptable mobile code and mobile code technologies to ensure the organization being inspected/assessed defines acceptable and unacceptable mobile code and mobile code technologies IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has defined acceptable and unacceptable mobile code and mobile code technologies IAW the applicable STIGs and SRGs pertaining to CCI 1160. |
The organization being inspected/assessed defines and documents acceptable and unacceptable mobile code and mobile code technologies IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must define IAW the STIG/SRG guidance that pertains to CCI 1160. |
Mobile Code |
SC-18 |
SC-18.1 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001161 |
The organization establishes usage restrictions for acceptable mobile code and mobile code technologies. |
The organization conducting the inspection/assessmenet obtains and examines the documented usage restrictions to ensure the organization being inspected/assessed establishes usage restrictions for acceptable mobile code and mobile code technologies IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has established usage restrictions IAW the applicable STIGs and SRGs pertaining to CCI 1161. |
The organization being inspected/assessed documents usage restrictions for acceptable mobile code and mobile code technologies IAW the Protection Profile for Web Browsers and Application SRG.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must establish IAW the STIG/SRG guidance that pertains to CCI 1161. |
Mobile Code |
SC-18 |
SC-18.2 |
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. |
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| CCI-001687 |
The organization ensures the use of mobile code to be deployed in information systems meets organization-defined mobile code requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed uses mobile code IAW the requirements defined in CCI 1168. |
The organization being inspected/assessed documents and implements a process to use mobile code IAW the requirements defined in CCI 1168. |
Mobile Code | Acquisition / Development / Use |
SC-18 (2) |
SC-18(2).3 |
|
The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]. |
| CCI-001688 |
The organization ensures the acquisition of mobile code to be deployed in information systems meets organization-defined mobile code requirements. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed acquire mobile code IAW the requirements defined in CCI 1168. |
The organization being inspected/assessed documents and implements a process to acquire mobile code IAW the requirements defined in CCI 1168. |
Mobile Code | Acquisition / Development / Use |
SC-18 (2) |
SC-18(2).4 |
|
The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]. |
| CCI-001695 |
The information system prevents the execution of organization-defined unacceptable mobile code. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent the execution of unacceptable mobile code defined in CCI 2459.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1695.
|
The organization being inspected/assessed configures the information system to prevent the execution of unacceptable mobile code defined in CCI 2459.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1695.
|
Mobile Code | Prevent Downloading / Execution |
SC-18 (3) |
SC-18(3).2 |
|
The information system prevents the download and execution of [Assignment: organization defined unacceptable mobile code]. |
| CCI-001663 |
The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services). |
The organization conducting the inspection/assessment utilizes DNSSEC diagnostic tools, such as dig, and performs queries which will exercise the data flow path for authoritative name resolution services where parent and child domains exist.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that pertains to CCI 1663. |
The organization being inspected/assessed installs and utilizes software capable of validating the chain of trust (Examples of software include dig, dnsviz, dnssec-debugger, dnssec validator for Mozilla, etc.).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1663. |
Secure Name / Address Resolution Service (Authoritative Source) |
SC-20 |
SC-20.4 |
This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22. |
The information system:
a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. |
| CCI-001178 |
The information system provides additional data origin authentication artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries. |
The organization conducting the inspection/assessment:
1. inspects the configuration files for the presence of DNSSEC records for each A record hosted in a zone;
2. utilizes DNSSEC diagnostic tools, such as dig; and
3. performs queries which will exercise the data flow path for authoritative name resolution services.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 1178. |
The organization being inspected/assessed configures the authoritative name server software for external queries to enable DNSSEC and creates resource records with digital signatures (RRSig) for each A record.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 1178. |
Secure Name / Address Resolution Service (Authoritative Source) |
SC-20 |
SC-20.1 |
This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22. |
The information system:
a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. |
| CCI-001179 |
The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child zones. |
The organization conducting the inspection/assessment inspect the configuration files for the presence of Delegation Signer (DS) Records for any child domains.
Note: This is only applicable for zones with child domains.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs that determine the name server software configuration files and pertain to CCI 1179. |
The organization being inspected/assessed configures the authoritative name server software to enable DNSSEC and creates delegation signer (DS) resource records for each child zone and place those records in the parent zone.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that determines the name server software configuration files and pertains to CCI 1179. |
Secure Name / Address Resolution Service (Authoritative Source) |
SC-20 |
SC-20.3 |
This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22. |
The information system:
a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. |
| CCI-001664 |
The information system recognizes only session identifiers that are system-generated. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to recognize only session identifiers that are system-generated.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1664. |
The organization being inspected/assessed configures the information system to recognize only session identifiers that are system-generated.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1664. |
Session Authenticity | Unique Session Identifiers With Randomization |
SC-23 (3) |
SC-23(3).3 |
This control enhancement curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Related control: SC-13. |
The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated. |
| CCI-001184 |
The information system protects the authenticity of communications sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect the authenticity of communications sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1184. |
The organization being inspected/assessed configures the information system to protect the authenticity of communications sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1184. |
Session Authenticity |
SC-23 |
SC-23.1 |
This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11. |
The information system protects the authenticity of communications sessions. |
| CCI-001185 |
The information system invalidates session identifiers upon user logout or other session termination. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to invalidate session identifiers upon user logout or other session termination.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1185. |
The organization being inspected/assessed configures the information system to invalidate session identifiers upon user logout or other session termination.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1185. |
Session Authenticity | Invalidate Session Identifiers At Logout |
SC-23 (1) |
SC-23(1).1 |
This control enhancement curtails the ability of adversaries from capturing and continuing to employ previously valid session IDs. |
The information system invalidates session identifiers upon user logout or other session termination. |
| CCI-001186 |
The information system provides a readily observable logout capability whenever authentication is used to gain access to web pages. |
|
|
|
|
|
|
|
| CCI-001187 |
The information system generates a unique session identifier for each session. |
|
|
|
|
|
|
|
| CCI-001188 |
The information system generates unique session identifiers for each session with organization-defined randomness requirements. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to generate unique session identifiers for each session with randomness requirements defined in SC-23 (3), CCI 1189.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1188. |
The organization being inspected/assessed configures the information system to generate unique session identifiers for each session with randomness requirements defined in SC-23 (3), CCI 1189.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1188. |
Session Authenticity | Unique Session Identifiers With Randomization |
SC-23 (3) |
SC-23(3).1 |
This control enhancement curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Related control: SC-13. |
The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated. |
| CCI-001189 |
The organization defines randomness requirements for generating unique session identifiers. |
The organization conducting the inspection/assessment obtains and examines the documented randomness requirements to ensure the organization being inspected/assessed defines randomness requirements for generating unique session identifiers.
DoD has determined the randomness requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents randomness requirements for generating unique session identifiers.
DoD has determined the randomness requirements are not appropriate to define at the Enterprise level. |
Session Authenticity | Unique Session Identifiers With Randomization |
SC-23 (3) |
SC-23(3).2 |
This control enhancement curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Related control: SC-13. |
The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated. |
| CCI-001665 |
The information system preserves organization-defined system state information in the event of a system failure. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to preserve information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes in the event of a system failure.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1665.
DoD has defined system state information as information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes. |
The organization being inspected/assessed configures the information system to preserve information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes in the event of a system failure.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1665.
DoD has defined system state information as information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes. |
Fail In Known State |
SC-24 |
SC-24.5 |
Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22. |
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
| CCI-001190 |
The information system fails to an organization-defined known-state for organization-defined types of failures. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to fail to a secure state for failures during system initialization, shutdown, and aborts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1190.
DoD has defined the known state as secure state.
DoD has defined the types of failures as failures during system initialization, shutdown, and aborts. |
The organization being inspected/assessed configures the information system to fail to a secure state for failures during system initialization, shutdown, and aborts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1190.
DoD has defined the known state as secure state.
DoD has defined the types of failures as failures during system initialization, shutdown, and aborts. |
Fail In Known State |
SC-24 |
SC-24.1 |
Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22. |
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
| CCI-001191 |
The organization defines the known states the information system should fail to in the event of an organization-defined system failure. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the known state as secure state. |
DoD has defined the known state as secure state. |
Fail In Known State |
SC-24 |
SC-24.2 |
Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22. |
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
| CCI-001192 |
The organization defines types of failures for which the information system should fail to an organization-defined known state. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the types of failures as failures during system initialization, shutdown, and aborts. |
DoD has defined the types of failures as failures during system initialization, shutdown, and aborts. |
Fail In Known State |
SC-24 |
SC-24.3 |
Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22. |
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
| CCI-001193 |
The organization defines system state information that should be preserved in the event of a system failure. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined system state information as information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes. |
DoD has defined system state information as information necessary to determine cause of failure and to return to operations with least disruption to mission/ business processes. |
Fail In Known State |
SC-24 |
SC-24.4 |
Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP-10, CP-12, SC-7, SC-22. |
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
| CCI-001666 |
The organization employs cryptographic mechanisms to prevent unauthorized modification of information at rest unless otherwise protected by alternative physical measures. |
|
|
|
|
|
|
|
| CCI-001199 |
The information system protects the confidentiality and/or integrity of organization-defined information at rest. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to protect the confidentiality and/or integrity of organization-defined information at rest.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1199. |
The organization being inspected/assessed configures the information system to protect the confidentiality and/or integrity of organization-defined information at rest.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1199. |
Protection Of Information At Rest |
SC-28 |
SC-28.1 |
This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. |
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. |
| CCI-001200 |
The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures. |
|
|
|
|
|
|
|
| CCI-001667 |
The organization compares the time measured between flaw identification and flaw remediation with organization-defined benchmarks. |
|
|
|
|
|
|
|
| CCI-001225 |
The organization identifies information system flaws. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed identifies information system flaws. |
The organization being inspected/assessed documents and implements a process to identify information system flaws.
The process shall include review of the system through automated scans and manual checks to determine the existence of flaws such as IAVM, CVE, or other resources. |
Flaw Remediation |
SI-2 |
SI-2.1 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001226 |
The organization reports information system flaws. |
The organization conducting the inspection/assessment obtains and examines the authorization package, verifies the POA&M is up to date and includes recently identified information system flaws, and verifies that the organization has notified appropriate personnel as defined by DoD Cybersecurity policy and organizational roles and responsibilities. |
The organization being inspected/assessed reports information system flaws according to DoD Cybersecurity policy and organizational roles and responsibilities.
The organization must report information system flaws in their POA&M. |
Flaw Remediation |
SI-2 |
SI-2.2 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001227 |
The organization corrects information system flaws. |
The organization conducting the inspection/assessment obtains and examines the information system POA&M and examines the information system to ensure the organization being inspected/assessed corrects information system flaws. |
The organization being inspected/assessed corrects information system flaws within the time period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs).
The organization documents the corrections on their POA&M.
DoD has defined the time period as within the time period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Flaw Remediation |
SI-2 |
SI-2.3 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001228 |
The organization tests software updates related to flaw remediation for effectiveness before installation. |
The organization conducting the inspection/assessment obtains and examines the documented process and test results to ensure the organization being inspected/assessed tests software updates related to flaw remediation for effectiveness before installation. |
The organization being inspected/assessed documents and implements a process to test software updates related to flaw remediation for effectiveness before installation.
If the software update is being provided by a vendor who has documented the effectiveness of the update in fixing the affected IAVM/CVE, further testing by the organization may not be required. |
Flaw Remediation |
SI-2 |
SI-2.4 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001229 |
The organization tests software updates related to flaw remediation for potential side effects before installation. |
The organization conducting the inspection/assessment obtains and examines the documented process and test results to ensure the organization being inspected/assessed tests software updates related to flaw remediation for potential side effects before installation. |
The organization being inspected/assessed documents and implements a process for regression testing IAW CM-4 to identify any potential side effects before installation of software updates. |
Flaw Remediation |
SI-2 |
SI-2.5 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001230 |
The organization incorporates flaw remediation into the organizational configuration management process. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to ensure that it incorporates flaw remediation. |
The organization being inspected/assessed documents within their configuration management plan, flaw remediation processes. |
Flaw Remediation |
SI-2 |
SI-2.12 |
Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. |
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process. |
| CCI-001231 |
The organization centrally manages the flaw remediation process. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed centrally manages the flaw remediation process. |
The organization being inspected/assessed documents and implements a process to centrally manage the flaw remediation process. |
Flaw Remediation | Central Management |
SI-2 (1) |
SI-2(1).1 |
Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls. |
The organization centrally manages the flaw remediation process. |
| CCI-001232 |
The organization installs software updates automatically. |
|
|
|
|
|
|
|
| CCI-001233 |
The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ automated mechanisms continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP to determine the state of information system components with regard to flaw remediation.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1233.
DoD has defined the frequency as continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP. |
The organization being inspected/assessed configures the information system to employ automated mechanisms continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP to determine the state of information system components with regard to flaw remediation.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1233.
DoD has defined the frequency as continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP. |
Flaw Remediation | Automated Flaw Remediation Status |
SI-2 (2) |
SI-2(2).1 |
Related controls: CM-6, SI-4. |
The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. |
| CCI-001234 |
The organization defines a frequency for employing automated mechanisms to determine the state of information system components with regard to flaw remediation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP. |
DoD has defined the frequency as continuously with HBSS; 30 days for any additional internal network scans not covered by HBSS; annually for external scans by (Computer Network Defense Service Provider) CNDSP. |
Flaw Remediation | Automated Flaw Remediation Status |
SI-2 (2) |
SI-2(2).2 |
Related controls: CM-6, SI-4. |
The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. |
| CCI-001235 |
The organization measures the time between flaw identification and flaw remediation. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of flaw identification and flaw remediation to ensure the organization being inspected/assessed measures the time between flaw identification and flaw remediation. |
The organization being inspected/assessed documents and implements a process to measure the time between flaw identification and flaw remediation.
The organization must maintain an audit trail of flaw identification and flaw remediation. |
Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions |
SI-2 (3) |
SI-2(3).1 |
This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited. |
The organization:
(a) Measures the time between flaw identification and flaw remediation; and
(b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. |
| CCI-001236 |
The organization defines benchmarks for the time taken to apply corrective actions after flaw identification. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the benchmarks as within the time period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs). |
DoD has defined the benchmarks as within the time period directed by an authorative source (e.g. IAVM, CTOs, DTMs, STIGs). |
Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions |
SI-2 (3) |
SI-2(3).2 |
This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited. |
The organization:
(a) Measures the time between flaw identification and flaw remediation; and
(b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. |
| CCI-001237 |
The organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components. |
|
|
|
|
|
|
|
| CCI-001238 |
The organization defines information system components for which automated patch management tools are to be employed to facilitate flaw remediation. |
|
|
|
|
|
|
|
| CCI-001668 |
The organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities. |
|
|
|
|
|
|
|
| CCI-001669 |
The organization defines the frequency of testing malicious code protection mechanisms. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as twice annually or when substantial changes are made to the malicious code protection mechanisms. |
DoD has defined the frequency as twice annually or when substantial changes are made to the malicious code protection mechanisms. |
Malicious Code Protection | Testing / Verification |
SI-3 (6) |
SI-3(6).2 |
Related controls: CA-2, CA-7, RA-5. |
The organization:
(a) Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and
(b) Verifies that both detection of the test case and associated incident reporting occur. |
| CCI-001239 |
The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities. |
|
|
|
|
|
|
|
| CCI-001240 |
The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1240. |
The organization being inspected/assessed configures the information system to update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1240. |
Malicious Code Protection |
SI-3 |
SI-3.5 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001241 |
The organization configures malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures malicious code protection mechanisms to perform periodic scans of the information system on every 7 days.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1241.
DoD has defined the frequency as every 7 days. |
The organization being inspected/assessed configures malicious code protection mechanisms to perform periodic scans of the information system on every 7 days.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1241.
DoD has defined the frequency as every 7 days. |
Malicious Code Protection |
SI-3 |
SI-3.8 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001242 |
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1242. |
The organization being inspected/assessed configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1242. |
Malicious Code Protection |
SI-3 |
SI-3.9 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001243 |
The organization configures malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures malicious code protection mechanisms to perform block and quarantine malicious code and then send an alert to the administrator immediately in near real-time in response to malicious code detection.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1243.
DoD has defined the actions as block and quarantine malicious code and then send an alert to the administrator immediately in near real-time. |
The organization being inspected/assessed configures malicious code protection mechanisms to perform block and quarantine malicious code and then send an alert to the administrator immediately in near real-time in response to malicious code detection.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1243.
DoD has defined the actions as block and quarantine malicious code and then send an alert to the administrator immediately in near real-time. |
Malicious Code Protection |
SI-3 |
SI-3.10 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001244 |
The organization defines one or more actions to perform in response to malicious code detection, such as blocking malicious code, quarantining malicious code, or sending alerts to administrators. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the actions as block and quarantine malicious code and then send an alert to the administrator immediately in near real-time. |
DoD has defined the actions as block and quarantine malicious code and then send an alert to the administrator immediately in near real-time. |
Malicious Code Protection |
SI-3 |
SI-3.11 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001245 |
The organization addresses the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to address the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1245. |
The organization being inspected/assessed configures the information system to address the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1245. |
Malicious Code Protection |
SI-3 |
SI-3.12 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. |
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| CCI-001246 |
The organization centrally manages malicious code protection mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed centrally manages malicious code protection mechanisms. |
The organization being inspected/assessed documents and implements a process to centrally manage malicious code protection mechanisms. |
Malicious Code Protection | Central Management |
SI-3 (1) |
SI-3(1).1 |
Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. |
The organization centrally manages malicious code protection mechanisms. |
| CCI-001247 |
The information system automatically updates malicious code protection mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically update malicious code protection mechanisms.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1247. |
The organization being inspected/assessed configures the information system to automatically update malicious code protection mechanisms.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1247. |
Malicious Code Protection | Automatic Updates |
SI-3 (2) |
SI-3(2).1 |
Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8. |
The information system automatically updates malicious code protection mechanisms. |
| CCI-001248 |
The information system prevents non-privileged users from circumventing malicious code protection capabilities. |
|
|
|
|
|
|
|
| CCI-001249 |
The information system updates malicious code protection mechanisms only when directed by a privileged user. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to update malicious code protection mechanisms only when directed by a privileged user.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1249. |
The organization being inspected/assessed configures the information system to update malicious code protection mechanisms only when directed by a privileged user.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1249.
This control enhancement may be appropriate for situations where for reasons of security or operational continuity, updates are only applied when selected/approved by designated organizational personnel. |
Malicious Code Protection | Updates Only By Privileged Users |
SI-3 (4) |
SI-3(4).1 |
This control enhancement may be appropriate for situations where for reasons of security or operational continuity, updates are only applied when selected/approved by designated organizational personnel. Related controls: AC-6, CM-5. |
The information system updates malicious code protection mechanisms only when directed by a privileged user. |
| CCI-001250 |
The organization does not allow users to introduce removable media into the information system. |
|
|
|
|
|
|
|
| CCI-001251 |
The organization tests malicious code protection mechanisms on an organization-defined frequency by introducing a known benign, non-spreading test case into the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process and test results to ensure the organization being inspected/assessed tests malicious code protection mechanisms twice annually or when substantial changes are made to the malicious code protection mechanisms by introducing a known benign, non-spreading test case into the information system.
DoD has defined the frequency as twice annually or when substantial changes are made to the malicious code protection mechanisms. |
The organization being inspected/assessed documents and implement a process to test malicious code protection mechanisms twice annually or when substantial changes are made to the malicious code protection mechanisms by introducing a known benign, non-spreading test case into the information system.
DoD has defined the frequency as twice annually or when substantial changes are made to the malicious code protection mechanisms. |
Malicious Code Protection | Testing / Verification |
SI-3 (6) |
SI-3(6).1 |
Related controls: CA-2, CA-7, RA-5. |
The organization:
(a) Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and
(b) Verifies that both detection of the test case and associated incident reporting occur. |
| CCI-001670 |
The information system takes organization-defined least-disruptive actions to terminate suspicious events. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to take least-disruptive actions defined in SI-4 (7), CCI 1268 to terminate suspicious events.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1670. |
The organization being inspected/assessed configures the information system to take least-disruptive actions defined in SI-4 (7), CCI 1268 to terminate suspicious events.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1670. |
Information System Monitoring | Automated Response To Suspicious Events |
SI-4 (7) |
SI-4(7).4 |
Least-disruptive actions may include, for example, initiating requests for human responses. |
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]. |
| CCI-001671 |
The organization analyzes outbound communications traffic at selected organization-defined interior points within the system (e.g., subnetworks, subsystems) to discover anomalies. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of any discovered anomalies to ensure the organization being inspected/assessed analyzes outbound communications traffic at selected interior points defined in SI-4 (11), CCI 2668 within the system (e.g., subnetworks, subsystems) to discover anomalies. |
The organization being inspected/assessed documents and implements a process to analyze outbound communications traffic at selected interior points defined in SI-4 (11), CCI 2668 within the system (e.g., subnetworks, subsystems) to discover anomalies.
The organization must maintain a record of any discovered anomalies. |
Information System Monitoring | Analyze Communications Traffic Anomalies |
SI-4 (11) |
SI-4(11).2 |
Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. |
The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies. |
| CCI-001672 |
The organization employs a wireless intrusion detection system to identify rogue wireless devices. |
|
|
|
|
|
|
|
| CCI-001673 |
The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified wireless intrusion detection system and the system hardware/software list to ensure the organization being inspected/assessed employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.
The organization being inspected/assessed may be required to demonstrate use of the wireless intrusion detection system. |
The organization being inspected/assessed documents and implements a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. |
Information System Monitoring | Wireless Intrusion Detection |
SI-4 (14) |
SI-4(14).1 |
Wireless signals may radiate beyond the confines of organization-controlled facilities. Organizations proactively search for unauthorized wireless connections including the conduct of thorough scans for unauthorized wireless access points. Scans are not limited to those areas within facilities containing information systems, but also include areas outside of facilities as needed, to verify that unauthorized wireless access points are not connected to the systems. Related controls: AC-18, IA-3. |
The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. |
| CCI-001252 |
The organization monitors events on the information system in accordance with organization-defined monitoring objectives and detects information system attacks. |
|
|
|
|
|
|
|
| CCI-001253 |
The organization defines the objectives of monitoring for attacks and indicators of potential attacks on the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the monitoring objectives as sensor placement and monitoring requirements within CJCSI 6510.01F. |
DoD has defined the monitoring objectives as sensor placement and monitoring requirements within CJCSI 6510.01F. |
Information System Monitoring |
SI-4 |
SI-4.1 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-001254 |
The organization identifies unauthorized use of the information system. |
|
|
|
|
|
|
|
| CCI-001255 |
The organization deploys monitoring devices strategically within the information system to collect organization-determined essential information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed deploys monitoring devices strategically within the information system to collect organization determined essential information. |
The organization being inspected/assessed documents and implements a process to deploy monitoring devices strategically within the information system to collect organization determined essential information. |
Information System Monitoring |
SI-4 |
SI-4.8 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-001256 |
The organization deploys monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed deploys monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization. |
The organization being inspected/assessed documents and implements a process to deploy monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization. |
Information System Monitoring |
SI-4 |
SI-4.9 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-001257 |
The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. |
The organization being inspected/assessed documents and implements a process to heighten the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. |
Information System Monitoring |
SI-4 |
SI-4.13 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-001258 |
The organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. |
The organization conducting the inspection/assessment obtains and examines the documented legal opinion to ensure the organization being inspected/assessed obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. |
The organization being inspected/assessed obtains and documents legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. |
Information System Monitoring |
SI-4 |
SI-4.14 |
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. |
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
| CCI-001259 |
The organization interconnects and configures individual intrusion detection tools into a systemwide intrusion detection system using common protocols. |
|
|
|
|
|
|
|
| CCI-001260 |
The organization employs automated tools to support near real-time analysis of events. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated tools to ensure the organization being inspected/assessed employs automated tools to support near real-time analysis of events.
The organization being inspected/assessed may be required to demonstrate use of their automated tools. |
The organization being inspected/assessed documents and implements automated tools to support near real-time analysis of events. |
Information System Monitoring | Automated Tools For Real-Time Analysis |
SI-4 (2) |
SI-4(2).1 |
Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems. |
The organization employs automated tools to support near real-time analysis of events. |
| CCI-001261 |
The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. |
|
|
|
|
|
|
|
| CCI-001262 |
The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions. |
|
|
|
|
|
|
|
| CCI-001263 |
The information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occurs. |
|
|
|
|
|
|
|
| CCI-001264 |
The organization defines indicators of compromise or potential compromise to the security of the information system which will result in information system alerts being provided to organization-defined personnel or roles. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the compromise indicators as real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B. |
DoD has defined the compromise indicators as real time intrusion detection and when there are threats identified by authoritative sources (e.g. CTOs) and IAW incident categories I, II, IV, & VII within CJCSM 6510.01B. |
Information System Monitoring | System-Generated Alerts |
SI-4 (5) |
SI-4(5).1 |
Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers. Related controls: AU-5, PE-6. |
The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. |
| CCI-001265 |
The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities. |
|
|
|
|
|
|
|
| CCI-001266 |
The information system notifies an organization-defined list of incident response personnel (identified by name and/or by role) of detected suspicious events. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify incident response personnel defined in the incident response plan of detected suspicious events.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1266.
DoD has defined the incident response personnel as incident response personnel defined in the incident response plan. |
The organization being inspected/assessed configures the information system to notify incident response personnel defined in the incident response plan of detected suspicious events.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1266.
DoD has defined the incident response personnel as incident response personnel defined in the incident response plan. |
Information System Monitoring | Automated Response To Suspicious Events |
SI-4 (7) |
SI-4(7).1 |
Least-disruptive actions may include, for example, initiating requests for human responses. |
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]. |
| CCI-001267 |
The organization defines a list of incident response personnel (identified by name and/or by role) to be notified of detected suspicious events. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the incident response personnel as incident response personnel defined in the incident response plan. |
DoD has defined the incident response personnel as incident response personnel defined in the incident response plan. |
Information System Monitoring | Automated Response To Suspicious Events |
SI-4 (7) |
SI-4(7).2 |
Least-disruptive actions may include, for example, initiating requests for human responses. |
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]. |
| CCI-001268 |
The organization defines a list of least-disruptive actions to be taken by the information system to terminate suspicious events. |
The organization conducting the inspection/assessment obtains and examines the documented list of least-disruptive actions to ensure the organization being inspected/assessed defines a list of least-disruptive actions to be taken by the information system to terminate suspicious events.
DoD has determined the least-disruptive actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a list of least-disruptive actions to be taken by the information system to terminate suspicious events.
DoD has determined the least-disruptive actions are not appropriate to define at the Enterprise level. |
Information System Monitoring | Automated Response To Suspicious Events |
SI-4 (7) |
SI-4(7).3 |
Least-disruptive actions may include, for example, initiating requests for human responses. |
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events]. |
| CCI-001269 |
The organization protects information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion. |
|
|
|
|
|
|
|
| CCI-001270 |
The organization tests intrusion monitoring tools at an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of test results to ensure the organization being inspected/assessed tests intrusion monitoring tools every 30 days.
DoD has defined the frequency as every 30 days. |
The organization being inspected/assessed documents and implements a process to test intrusion monitoring tools every 30 days.
The organization must maintain an audit trail of test results.
DoD has defined the frequency as every 30 days. |
Information System Monitoring | Testing Of Monitoring Tools |
SI-4 (9) |
SI-4(9).1 |
Testing intrusion-monitoring tools is necessary to ensure that the tools are operating correctly and continue to meet the monitoring objectives of organizations. The frequency of testing depends on the types of tools used by organizations and methods of deployment. Related control: CP-9. |
The organization tests intrusion-monitoring tools [Assignment: organization-defined time-period]. |
| CCI-001271 |
The organization defines the frequency for testing intrusion monitoring tools. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 30 days. |
DoD has defined the frequency as every 30 days. |
Information System Monitoring | Testing Of Monitoring Tools |
SI-4 (9) |
SI-4(9).2 |
Testing intrusion-monitoring tools is necessary to ensure that the tools are operating correctly and continue to meet the monitoring objectives of organizations. The frequency of testing depends on the types of tools used by organizations and methods of deployment. Related control: CP-9. |
The organization tests intrusion-monitoring tools [Assignment: organization-defined time-period]. |
| CCI-001272 |
The organization makes provisions so encrypted traffic is visible to information system monitoring tools. |
|
|
|
|
|
|
|
| CCI-001273 |
The organization analyzes outbound communications traffic at the external boundary of the information system to discover anomalies. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of any discovered anomalies to ensure the organization being inspected/assessed analyzes outbound communications traffic at the external boundary of the information system to discover anomalies. |
The organization being inspected/assessed documents and implements a process to analyze outbound communications traffic at the external boundary of the information system to discover anomalies.
The organization must maintain a record of any discovered anomalies. |
Information System Monitoring | Analyze Communications Traffic Anomalies |
SI-4 (11) |
SI-4(11).1 |
Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. |
The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies. |
| CCI-001274 |
The organization employs automated mechanisms to alert security personnel of organization-defined inappropriate or unusual activities with security implications. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms used to alert security personnel when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B.
For automated alert mechanisms that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1274.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms.
DoD has defined the activities that trigger alerts as when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B. |
The organization being inspected/assessed documents and implements automated mechanisms to alert security personnel when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B.
For automated alert mechanisms that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1274.
DoD has defined the activities that trigger alerts as when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B. |
Information System Monitoring | Automated Alerts |
SI-4 (12) |
SI-4(12).1 |
This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by information systems in SI-4 (5), which tend to focus on information sources internal to the systems (e.g., audit records), the sources of information for this enhancement can include other entities as well (e.g., suspicious activity reports, reports on potential insider threats). Related controls: AC-18, IA-3. |
The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts]. |
| CCI-001275 |
The organization defines the activities which will trigger alerts to security personnel of inappropriate or unusual activities. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the activities that trigger alerts as when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B. |
DoD has defined the activities that trigger alerts as when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B. |
Information System Monitoring | Automated Alerts |
SI-4 (12) |
SI-4(12).2 |
This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by information systems in SI-4 (5), which tend to focus on information sources internal to the systems (e.g., audit records), the sources of information for this enhancement can include other entities as well (e.g., suspicious activity reports, reports on potential insider threats). Related controls: AC-18, IA-3. |
The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts]. |
| CCI-001276 |
The organization analyzes communications traffic/event patterns for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of analysis to ensure the organization being inspected/assessed analyzes communications traffic/event patterns for the information system. |
The organization being inspected/assessed documents and implements a process to analyze communications traffic/event patterns for the information system.
The organization must maintain a record of the analysis. |
Information System Monitoring | Analyze Traffic / Event Patterns |
SI-4 (13) |
SI-4(13).1 |
|
The organization:
(a) Analyzes communications traffic/event patterns for the information system;
(b) Develops profiles representing common traffic patterns and/or events; and
(c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives. |
| CCI-001277 |
The organization develops profiles representing common traffic patterns and/or events. |
The organization conducting the inspection/assessment obtains and examines the documented profiles to ensure the organization being inspected/assessed develops profiles representing common traffic patterns and/or events. |
The organization being inspected/assessed develops and documents profiles representing common traffic patterns and/or events. |
Information System Monitoring | Analyze Traffic / Event Patterns |
SI-4 (13) |
SI-4(13).2 |
|
The organization:
(a) Analyzes communications traffic/event patterns for the information system;
(b) Develops profiles representing common traffic patterns and/or events; and
(c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives. |
| CCI-001278 |
The organization uses the traffic/event profiles in tuning system monitoring devices to reduce the number of false positives to an organization-defined measure of false positives and the number of false negatives to an organization-defined measure of false negatives. |
|
|
|
|
|
|
|
| CCI-001279 |
The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false positives. |
|
|
|
|
|
|
|
| CCI-001280 |
The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false negatives. |
|
|
|
|
|
|
|
| CCI-001281 |
The organization employs a wireless intrusion detection system. |
|
|
|
|
|
|
|
| CCI-001282 |
The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified intrusion detection system to ensure the organization being inspected/assessed employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
The organization being inspected/assessed may be required to demonstrate use of the intrusion detection system. |
The organization being inspected/assessed documents and implements an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. |
Information System Monitoring | Wireless To Wireline Communications |
SI-4 (15) |
SI-4(15).1 |
Related control: AC-18. |
The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. |
| CCI-001283 |
The organization correlates information from monitoring tools employed throughout the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process and the correlated results to ensure the organization being inspected/assessed correlates information from monitoring tools employed throughout the information system. |
The organization being inspected/assessed documents and implements a process to correlate information from monitoring tools employed throughout the information system. |
Information System Monitoring | Correlate Monitoring Information |
SI-4 (16) |
SI-4(16).1 |
Correlating information from different monitoring tools can provide a more comprehensive view of information system activity. The correlation of monitoring tools that usually work in isolation (e.g., host monitoring, network monitoring, anti-virus software) can provide an organization-wide view and in so doing, may reveal otherwise unseen attack patterns. Understanding the capabilities/limitations of diverse monitoring tools and how to maximize the utility of information generated by those tools can help organizations to build, operate, and maintain effective monitoring programs. Related control: AU-6. |
The organization correlates information from monitoring tools employed throughout the information system. |
| CCI-001284 |
The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. |
The organization conducting the inspection/assessment obtains and examines the documented process and the correlated results to ensure the organization being inspected/assessed correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. |
The organization being inspected/assessed documents and implements a process to correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. |
Information System Monitoring | Integrated Situational Awareness |
SI-4 (17) |
SI-4(17).1 |
This control enhancement correlates monitoring information from a more diverse set of information sources to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated cyber attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to SI-4 (16) which correlates the various cyber monitoring information, this control enhancement correlates monitoring beyond just the cyber domain. Such monitoring may help reveal attacks on organizations that are operating across multiple attack vectors. Related control: SA-12. |
The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. |
| CCI-001674 |
The information system responds to security function anomalies in accordance with organization-defined responses and alternative action(s). |
|
|
|
|
|
|
|
| CCI-001675 |
The organization defines the personnel or roles that are to receive reports on the results of security function verification. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Security Function Verification | Report Verification Results |
SI-6 (3) |
SI-6(3).2 |
Organizational personnel with potential interest in security function verification results include, for example, senior information security officers, information system security managers, and information systems security officers. Related controls: SA-12, SI-4, SI-5. |
The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles]. |
| CCI-001676 |
The organization defines, for periodic security function verification, the frequency of the verifications. |
|
|
|
|
|
|
|
| CCI-001291 |
The information system verifies the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification). |
|
|
|
|
|
|
|
| CCI-001292 |
The organization defines the appropriate conditions, including the system transitional states if applicable, for verifying the correct operation of security functions. |
|
|
|
|
|
|
|
| CCI-001293 |
The organization defines the information system responses and alternative action(s) to anomalies discovered during security function verification. |
|
|
|
|
|
|
|
| CCI-001294 |
The information system notifies organization-defined personnel or roles of failed security verification tests. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the ISSO and ISSM of failed security verification tests.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1294.
DoD has defined the personnel or roles as the ISSO and ISSM. |
The organization being inspected/assessed configures the information system to notify the ISSO and ISSM of failed security verification tests.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1294.
DoD has defined the personnel or roles as the ISSO and ISSM. |
Security Function Verification |
SI-6 |
SI-6.6 |
Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Related controls: CA-7, CM-6. |
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| CCI-001295 |
The information system implements automated mechanisms to support the management of distributed security testing. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement automated mechanisms to support the management of distributed security testing.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1295. |
The organization being inspected/assessed configures the information system to implement automated mechanisms to support the management of distributed security testing.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1295. |
Security Function Verification | Automation Support For Distributed Testing |
SI-6 (2) |
SI-6(2).1 |
Related control: SI-2. |
The information system implements automated mechanisms to support for the management of distributed security testing. |
| CCI-001296 |
The organization reports the results of security function verification to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reporting to ensure the organization being inspected/assessed reports the result of security function verification to at a minimum, the ISSO and ISSM.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed documents and implements a process to report the result of security function verification to at a minimum, the ISSO and ISSM.
The organization must maintain an audit trail of reporting.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Security Function Verification | Report Verification Results |
SI-6 (3) |
SI-6(3).1 |
Organizational personnel with potential interest in security function verification results include, for example, senior information security officers, information system security managers, and information systems security officers. Related controls: SA-12, SI-4, SI-5. |
The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles]. |
| CCI-001677 |
The organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. |
|
|
|
|
|
|
|
| CCI-001305 |
The organization employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. |
|
|
|
|
|
|
|
| CCI-001306 |
The organization updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
The organization conducting the inspection/assessment obtains and examines the documented process and examines the spam protection mechanisms to ensure the organization being inspected/assessed updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
The organization being inspected/assessed documents and implements a process to update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
Spam Protection |
SI-8 |
SI-8.3 |
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions. Related controls: AT-2, AT-3, SC-5, SC-7, SI-3. |
The organization:
a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
| CCI-001307 |
The organization centrally manages spam protection mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed centrally manages spam protection mechanisms. |
The organization being inspected/assessed documents and implements a process to centrally manage spam protection mechanisms. |
Spam Protection | Central Management |
SI-8 (1) |
SI-8(1).1 |
Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls. Related controls: AU-3, SI-2, SI-7. |
The organization centrally manages spam protection mechanisms. |
| CCI-001308 |
The information system automatically updates spam protection mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically update spam protection mechanisms.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1308. |
The organization being inspected/assessed configures the information system to automatically update spam protection mechanisms.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1308. |
Spam Protection | Automatic Updates |
SI-8 (2) |
SI-8(2).1 |
|
The information system automatically updates spam protection mechanisms. |
| CCI-001678 |
The organization retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
The organization conducting the inspection/assessment obtains and examines the documented list of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements which apply to the information within the information system, as well as the documented process for information retention to ensure the organization being inspected/assessed retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
The organization being inspected/assessed identifies and documents federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements which apply to the information within the information system.
The organization documents and implements a process to retain information IAW those documented federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
Information Handling And Retention |
SI-12 |
SI-12.2 |
Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. |
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
| CCI-001315 |
The organization handles information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
The organization conducting the inspection/assessment obtains and examines the documented list of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements which apply to the information within the information system, as well as the documented process for information handling to ensure the organization being inspected/assessed handles information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
The organization being inspected/assessed identifies and documents federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements which apply to the information within the information system.
The organization documents and implements a process to handle information IAW those documented federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
Information Handling And Retention |
SI-12 |
SI-12.1 |
Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. |
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
| CCI-001679 |
The organization provides a mechanism to exchange active and standby roles of the components. |
|
|
|
|
|
|
|
| CCI-001316 |
The organization protects the information system from harm by considering mean time to failure rates for an organization-defined list of information system components in specific environments of operation. |
|
|
|
|
|
|
|
| CCI-001317 |
The organization defines a list of information system components for which mean time to failure rates should be considered to protect the information system from harm. |
|
|
|
|
|
|
|
| CCI-001318 |
The organization provides substitute information system components. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides substitute information system components. |
The organization being inspected/assessed documents and implements a process to provide substitute information system components. |
Predictable Failure Prevention |
SI-13 |
SI-13.3 |
While MTTF is primarily a reliability issue, this control addresses potential failures of specific information system components that provide security capability. Failure rates reflect installation-specific consideration, not industry-average. Organizations define criteria for substitution of information system components based on MTTF value with consideration for resulting potential harm from component failures. Transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capability (e.g., preservation of state variables). Standby components remain available at all times except for maintenance issues or recovery failures in progress. Related controls: CP-2, CP-10, MA-6. |
The organization:
a. Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
b. Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria]. |
| CCI-001319 |
The organization takes information system components out of service by transferring component responsibilities to a substitute component no later than an organization-defined fraction or percentage of mean time to failure (MTTF). |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the log of component substitution to ensure the organization being inspected/assessed takes the information system components out of service by transferring component responsibilities to a substitute component no later than a fraction or percentage of mean time to failure defined in SI-13 (1), CCI 1320. |
The organization being inspected/assessed documents and implements a process to take the information system components out of service by transferring component responsibilities to a substitute component no later than a fraction or percentage of mean time to failure defined in SI-13 (1), CCI 1320.
The organization must maintain a log of component substitution. |
Predictable Failure Prevention | Transferring Component Responsibilities |
SI-13 (1) |
SI-13(1).1 |
|
The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure. |
| CCI-001320 |
The organization defines the maximum fraction or percentage of mean time to failure (MTTF) used to determine when information system components are taken out of service by transferring component responsibilities to substitute components. |
The organization conducting the inspection/assessment obtains and examines the documented fraction or percentage to ensure the organization being inspected/assessed defines the maximum fraction or percentage of mean time to failure used to determine when information system components are taken out of service by transferring component responsibilities to substitute components.
DoD has determined the fraction or percentage is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the maximum fraction or percentage of mean time to failure used to determine when information system components are taken out of service by transferring component responsibilities to substitute components.
DoD has determined the fraction or percentage is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Transferring Component Responsibilities |
SI-13 (1) |
SI-13(1).2 |
|
The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure. |
| CCI-001321 |
The organization does not allow a process to execute without supervision for more than an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines any applicable evidence of process supervision to ensure the organization being inspected/assessed does not allow a process to execute without supervision for more than the time period defined in SI-7 (16), CCI 1322. |
The organization being inspected/assessed does not allow a process to execute without supervision for more than the time period defined in SI-7 (16), CCI 1322. |
Software, Firmware, And Information Integrity | Time Limit On Process Execution W/O Supervision |
SI-7 (16) |
SI-7(16).1 |
This control enhancement addresses processes for which normal execution periods can be determined and situations in which organizations exceed such periods. Supervision includes, for example, operating system timers, automated responses, or manual oversight and response when information system process anomalies occur. |
The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period]. |
| CCI-001322 |
The organization defines a time period that is the longest a process is allowed to execute without supervision. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure the organization being inspected/assessed defines a time period that is the most a process is allowed to execute without supervision.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a time period that is the most a process is allowed to execute without supervision.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Software, Firmware, And Information Integrity | Time Limit On Process Execution W/O Supervision |
SI-7 (16) |
SI-7(16).2 |
This control enhancement addresses processes for which normal execution periods can be determined and situations in which organizations exceed such periods. Supervision includes, for example, operating system timers, automated responses, or manual oversight and response when information system process anomalies occur. |
The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period]. |
| CCI-001323 |
The organization manually initiates a transfer between active and standby information system components in accordance with organization-defined frequency if the mean time to failure (MTTF) exceeds an organization-defined time period. |
|
|
|
|
|
|
|
| CCI-001324 |
The organization defines the minimum frequency at which the organization manually initiates a transfer between active and standby information system components if the mean time to failure (MTTF) exceeds the organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the minimum frequency at which the organization manually initiates a transfer between active and standby information system components if the mean time to failure exceeds the organization-defined time period.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the minimum frequency at which the organization manually initiates a transfer between active and standby information system components if the mean time to failure exceeds the organization-defined time period.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Manual Transfer Between Components |
SI-13 (3) |
SI-13(3).2 |
|
The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period]. |
| CCI-001325 |
The organization defines a time period that the mean time to failure (MTTF) must exceed before the organization manually initiates a transfer between active and standby information system components. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure the organization being inspected/assessed defines a time period that the mean time to failure must exceed before the organization manually initiates a transfer between active and standby information system components.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a time period that the mean time to failure must exceed before the organization manually initiates a transfer between active and standby information system components.
The time period should be based on organizational need to maintain readiness of standby components.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Manual Transfer Between Components |
SI-13 (3) |
SI-13(3).3 |
|
The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period]. |
| CCI-001326 |
The organization, if information system component failures are detected, ensures standby components are successfully and transparently installed within an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the log of standby component installation to ensure the organization being inspected/assessed transparently installs standby components within a time period defined in SI-13 (4), CCI 1327 if information system component failures are detected. |
The organization being inspected/assessed documents and implements a process to transparently install standby components within a time period defined in SI-13 (4), CCI 1327 if information system component failures are detected.
The organization must maintain a log of standby component installation to include time periods. |
Predictable Failure Prevention | Standby Component Installation / Notification |
SI-13 (4) |
SI-13(4).1 |
Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. |
The organization, if information system component failures are detected:
(a) Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
(b) [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]. |
| CCI-001327 |
The organization defines a time period for a standby information system component to be successfully and transparently installed for the information system component that has failed. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure the organization being inspected/assessed defines a time period for a standby information system component to be successfully and transparently installed for the information system component that has failed.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a time period for a standby information system component to be successfully and transparently installed for the information system component that has failed
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Standby Component Installation / Notification |
SI-13 (4) |
SI-13(4).2 |
Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. |
The organization, if information system component failures are detected:
(a) Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
(b) [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]. |
| CCI-001328 |
The organization, if an information system component failure is detected, activates an organization-defined alarm and/or automatically shuts down the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to activate an alarm defined in SI-13( 4), CCI 1329 and/or automatically shuts down the information system if an information system component failure is detected.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1328. |
The organization being inspected/assessed configures the information system to activate an alarm defined in SI-13( 4), CCI 1329 and/or automatically shuts down the information system if an information system component failure is detected.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1328. |
Predictable Failure Prevention | Standby Component Installation / Notification |
SI-13 (4) |
SI-13(4).3 |
Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. |
The organization, if information system component failures are detected:
(a) Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
(b) [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]. |
| CCI-001329 |
The organization defines the alarm to be activated when an information system component failure is detected. |
The organization conducting the inspection/assessment obtains and examines the documented alarm to ensure the organization being inspected/assessed defines the alarm to be activated when an information system component failure is detected.
DoD has determined the alarm is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the alarm to be activated when an information system component failure is detected.
DoD has determined the alarm is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Standby Component Installation / Notification |
SI-13 (4) |
SI-13(4).4 |
Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. |
The organization, if information system component failures are detected:
(a) Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
(b) [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system]. |
| CCI-001689 |
The organization, if an information system component failure is detected, automatically shuts down the information system. |
|
|
|
|
|
|
|
| CCI-001680 |
The organization develops an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.4 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-000023 |
The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended. |
|
|
|
|
|
|
|
| CCI-000073 |
The organization develops an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.1 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-000074 |
The organization develops an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.8 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-000075 |
The organization reviews the organization-wide information security program plan on an organization-defined frequency. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.9 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-000076 |
The organization defines the frequency with which to review the organization-wide information security program plan. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Information Security Program Plan |
PM-1 |
PM-1.10 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-000077 |
The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments. |
DoD components are automatically compliant with this CCI as they are covered at the DoD level by DoDI 8500.01 and the Knowledge Service. If the organization or system owner is utilizing common controls they must be documented in their Security Plan. |
DoDI 8500.01 and the Knowledge Service meet the requirement for this CCI; individual organizations and system owners must provide documentation of common control implementation in their Security Plan. |
Information Security Program Plan |
PM-1 |
PM-1.11 |
Information security program plans can be represented in single documents or compilations of documents at the discretion of organizations. The plans document the program management controls and organization-defined common controls. Information security program plans provide sufficient information about the program management controls/common controls (including specification of parameters for any assignment and selection statements either explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plans and a determination of the risk to be incurred if the plans are implemented as intended.
The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization's information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls.
Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. |
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification. |
| CCI-001543 |
The organization disseminates the most recent information security program plan to appropriate entities in the organization that includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
|
|
|
|
|
|
|
| CCI-000021 |
The information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce dual authorization for privileged commands defined in AC-3 (2), CCI 1408 and/or other actions defined in AC-3 (2), CCI 2152.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 21. |
The organization being inspected/assessed configures the information system to enforce dual authorization for privileged commands defined in AC-3 (2), CCI 1408 and/or other actions defined in AC-3 (2), CCI 2152.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 21. |
Access Enforcement | Dual Authorization |
AC-3 (2) |
AC-3(2).1 |
Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety. Dual authorization may also be known as two-person control. Related controls: CP-9, MP-6. |
The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
| CCI-000022 |
The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources. |
|
|
|
|
|
|
|
| CCI-000024 |
The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent access to security-relevant information defined in AC-3 (5), CCI 1411 except during secure, non-operable system states.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 24. |
The organization being inspected/assessed configures the information system to prevent access to security-relevant information defined in AC-3 (5), CCI 1411 except during secure, non-operable system states.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 24. |
Access Enforcement | Security-Relevant Information |
AC-3 (5) |
AC-3(5).1 |
Security-relevant information is any information within information systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security policies or maintain the isolation of code and data. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Secure, non-operable system states include the times in which information systems are not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shut down). Related control: CM-3. |
The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. |
| CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 213. |
The organization being inspected/assessed configures the information system to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 213. |
Access Enforcement |
AC-3 |
AC-3.1 |
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-000214 |
The organization establishes a Discretionary Access Control (DAC) policy that limits propagation of access rights. |
|
|
|
|
|
|
|
| CCI-000215 |
The organization establishes a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user. |
|
|
|
|
|
|
|
| CCI-001408 |
The organization defines privileged commands for which dual authorization is to be enforced. |
The organization conducting the inspection/assessment obtains and examines the documented privileged commands to ensure they have been defined.
DoD has determined the other actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents privileged commands for which dual authorization is to be enforced.
DoD has determined the other actions are not appropriate to define at the Enterprise level. |
Access Enforcement | Dual Authorization |
AC-3 (2) |
AC-3(2).2 |
Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety. Dual authorization may also be known as two-person control. Related controls: CP-9, MP-6. |
The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
| CCI-001409 |
The organization defines nondiscretionary access control policies to be enforced over the organization-defined set of users and resources, where the rule set for each policy specifies access control information employed by the policy rule set (e.g., position, nationality, age, project, time of day) and required relationships among the access control information to permit access. |
|
|
|
|
|
|
|
| CCI-001410 |
The organization defines the set of users and resources over which the information system is to enforce nondiscretionary access control policies. |
|
|
|
|
|
|
|
| CCI-001411 |
The organization defines security-relevant information to which the information system prevents access except during secure, non-operable system states. |
The organization conducting the inspection/assessment obtains and examines the documented security-relevant information to ensure it has been defined and at a minimum, includes installing and updating crypto keys.
DoD has determined the security-relevant information is not appropriate to define at the Enterprise level, but at a minimum, installing and updating crypto keys. |
The organization being inspected/assessed defines and documents security-relevant information to which the information system prevents access except during secure, nonoperable system states. At a minimum, the security-relevant information shall include installing and updating crypto keys.
DoD has determined the security-relevant information is not appropriate to define at the Enterprise level, but at a minimum, installing and updating crypto keys. |
Access Enforcement | Security-Relevant Information |
AC-3 (5) |
AC-3(5).2 |
Security-relevant information is any information within information systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security policies or maintain the isolation of code and data. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Secure, non-operable system states include the times in which information systems are not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shut down). Related control: CM-3. |
The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. |
| CCI-001412 |
The organization encrypts or stores off-line, in a secure location, organization-defined user information. |
|
|
|
|
|
|
|
| CCI-001413 |
The organization encrypts or stores off-line, in a secure location, organization-defined system information. |
|
|
|
|
|
|
|
| CCI-001362 |
The information system enforces a Discretionary Access Control (DAC) policy that allows users to specify and control sharing by named individuals or groups of individuals, or by both. |
|
|
|
|
|
|
|
| CCI-001363 |
The organization establishes a Discretionary Access Control (DAC) policy that allows users to specify and control sharing by named individuals or groups of individuals, or by both. |
|
|
|
|
|
|
|
| CCI-001366 |
The organization defines user information to be encrypted or stored off-line in a secure location. |
|
|
|
|
|
|
|
| CCI-001367 |
The organization defines system information to be encrypted or stored off-line in a secure location. |
|
|
|
|
|
|
|
| CCI-001693 |
The information system enforces a Discretionary Access Control (DAC) policy that limits propagation of access rights. |
|
|
|
|
|
|
|
| CCI-001694 |
The information system enforces a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user. |
|
|
|
|
|
|
|
| CCI-000036 |
The organization separates organization-defined duties of individuals. |
The organization conducting the inspection/assessment obtains and examines the documented processes to ensure the organization being inspected/assessed maintains separation of the duties defined in AC-5, CCI 2219 across different individuals within the organization. |
The organization being inspected/assessed documents and implements processes to maintain separation of the duties defined in AC-5, CCI 2219 across different individuals within the organization. |
Separation Of Duties |
AC-5 |
AC-5.1 |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties. |
| CCI-000037 |
The organization implements separation of duties through assigned information system access authorizations. |
|
|
|
|
|
|
|
| CCI-001380 |
The organization documents separation of duties of individuals. |
The organization conducting the inspection/assessment obtains and examines the documented separation of duties to ensure the organization being inspected/assessed documents separation of duties of individuals. |
The organization being inspected/assessed documents separation of duties of individuals. |
Separation Of Duties |
AC-5 |
AC-5.3 |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties. |
| CCI-000043 |
The organization defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the maximum number as three. |
DoD has defined the maximum number as three. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.1 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to limit invalid logon attempts by a user to three attempts during a 15 minute time period.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 44.
DoD has defined the maximum number as three.
DoD has defined the time period as 15 minutes. |
The organization being inspected/assessed configures the information system to limit invalid logon attempts by a user to three attempts during a 15 minute time period.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 44.
DoD has defined the maximum number as three.
DoD has defined the time period as 15 minutes. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.2 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-000045 |
The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period. |
|
|
|
|
|
|
|
| CCI-000046 |
The organization selects either a lock out mode for the organization-defined time period or delays the next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts. |
|
|
|
|
|
|
|
| CCI-000047 |
The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy. |
|
|
|
|
|
|
|
| CCI-001423 |
The organization defines the time period in which the organization-defined maximum number of consecutive invalid logon attempts occur. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 15 minutes. |
DoD has defined the time period as 15 minutes. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.3 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-001452 |
The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted. |
|
|
|
|
|
|
|
| CCI-001382 |
The organization defines the number of consecutive, unsuccessful login attempts to the mobile device. |
|
|
|
|
|
|
|
| CCI-001383 |
The information system provides additional protection for mobile devices accessed via login by purging information from the device after an organization-defined number of consecutive, unsuccessful login attempts to the mobile device. |
|
|
|
|
|
|
|
| CCI-000048 |
The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display the DoD Information Systems – Standard Consent Banner and User Agreement before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 48.
DoD has defined the use notification message or banner as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
The organization being inspected/assessed configures the information system to display the DoD Information Systems – Standard Consent Banner and User Agreement before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 48.
DoD has defined the use notification message or banner as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
System Use Notification |
AC-8 |
AC-8.1 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-000049 |
The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording. |
|
|
|
|
|
|
|
| CCI-000050 |
The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 50. |
The organization being inspected/assessed configures the information system to retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 50. |
System Use Notification |
AC-8 |
AC-8.7 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-000051 |
The organization approves the information system use notification message before its use. |
|
|
|
|
|
|
|
| CCI-001384 |
The information system, for publicly accessible systems, displays system use information organization-defined conditions before granting further access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems - Standard Consent Banner and User Agreement," March 2013 before granting further access for publicly accessible systems
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1384.
DoD has defined the conditions as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems - Standard Consent Banner and User Agreement," March 2013. |
The organization being inspected/assessed configures the information system to display the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems - Standard Consent Banner and User Agreement," March 2013 before granting further access for publicly accessible systems
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1384.
DoD has defined the conditions as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems - Standard Consent Banner and User Agreement," March 2013. |
System Use Notification |
AC-8 |
AC-8.8 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-001385 |
The information system, for publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1385. |
The organization being inspected/assessed configures the information system to display references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1385. |
System Use Notification |
AC-8 |
AC-8.10 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-001386 |
The information system, for publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1386. |
The organization being inspected/assessed configures the information system to display references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1386. |
System Use Notification |
AC-8 |
AC-8.11 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-001387 |
The information system, for publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to display references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1387. |
The organization being inspected/assessed configures the information system to display references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1387. |
System Use Notification |
AC-8 |
AC-8.12 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-001388 |
The information system, for publicly accessible systems, includes a description of the authorized uses of the system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to include a description of the authorized uses of the system for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1388. |
The organization being inspected/assessed configures the information system to include a description of the authorized uses of the system for publicly accessible systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1388. |
System Use Notification |
AC-8 |
AC-8.13 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-000052 |
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 52. |
The organization being inspected/assessed configures the information system to notify the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 52. |
Previous Logon (Access) Notification |
AC-9 |
AC-9.1 |
This control is applicable to logons to information systems via human user interfaces and logons to systems that occur in other types of architectures (e.g., service-oriented architectures). Related controls: AC-7, PL-4. |
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access). |
| CCI-000053 |
The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 53. |
The organization being inspected/assessed configures the information system to notify the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 53. |
Previous Logon Notification | Unsuccessful Logons |
AC-9 (1) |
AC-9(1).1 |
|
The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. |
| CCI-001389 |
The organization defines the time period that the information system notifies the user of the number of successful logon/access attempts. |
DoD has determined this CCI is not applicable because this option is not selected. |
DoD has determined this CCI is not applicable because this option is not selected. |
Previous Logon (Access) Notification | Successful/ Unsuccessful Logons |
AC-9 (2) |
AC-9(2).1 |
|
The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]. |
| CCI-001390 |
The organization defines the time period that the information system notifies the user of the number of unsuccessful logon/access attempts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as the time since the last successful login (for unsuccessful logon/access attempts). |
DoD has defined the time period as the time since the last successful login (for unsuccessful logon/access attempts). |
Previous Logon (Access) Notification | Successful/ Unsuccessful Logons |
AC-9 (2) |
AC-9(2).2 |
|
The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]. |
| CCI-001391 |
The information system notifies the user of the number of successful logins/accesses that occur during the organization-defined time period. |
DoD has determined this CCI is not applicable because this option is not selected. |
DoD has determined this CCI is not applicable because this option is not selected. |
Previous Logon (Access) Notification | Successful/ Unsuccessful Logons |
AC-9 (2) |
AC-9(2).3 |
|
The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]. |
| CCI-001392 |
The information system notifies the user of the number of unsuccessful login/access attempts that occur during organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the user of the number of unsuccessful login/access attempts that occur during the time period defined in AC-9 (2), CCI 1389.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1392. |
The organization being inspected/assessed configures the information system to notify the user of the number of unsuccessful login/access attempts that occur during the time period defined in AC-9 (2), CCI 1389.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1392. |
Previous Logon (Access) Notification | Successful/ Unsuccessful Logons |
AC-9 (2) |
AC-9(2).4 |
|
The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period]. |
| CCI-001393 |
The organization defines the security-related characteristics/parameters of the user^s account which, when changed, will result in a notification being provided to the user during the organization-defined time period. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security-related characteristics/parameters as access and/or privilege parameters. |
DoD has defined the security-related characteristics/parameters as access and/or privilege parameters. |
Previous Logon (Access) Notification | Notification Of Account Changes |
AC-9 (3) |
AC-9(3).1 |
|
The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period]. |
| CCI-001394 |
The organization defines the time period during which organization-defined security-related changes to the user^s account are to be tracked. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as since last successful login. |
DoD has defined the time period as since last successful login. |
Previous Logon (Access) Notification | Notification Of Account Changes |
AC-9 (3) |
AC-9(3).2 |
|
The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period]. |
| CCI-001395 |
The information system notifies the user of changes to organization-defined security-related characteristics/parameters of the user^s account that occur during the organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the user of changes to access and/or privilege parameters that occur since last successful login.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1395.
DoD has defined the time period as since last successful login.
DoD has defined the security-related characteristics/parameters as access and/or privilege parameters. |
The organization being inspected/assessed configures the information system to notify the user of changes to access and/or privilege parameters that occur since last successful login.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1395.
DoD has defined the time period as since last successful login.
DoD has defined the security-related characteristics/parameters as access and/or privilege parameters. |
Previous Logon (Access) Notification | Notification Of Account Changes |
AC-9 (3) |
AC-9(3).3 |
|
The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user's account] during [Assignment: organization-defined time period]. |
| CCI-000054 |
The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to limit the number of concurrent sessions for all accounts and/or account types to a number of sessions defined in AC-10, CCI 55.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 54.
DoD has defined the account types and/or accounts as all account types and/or accounts. |
The organization being inspected/assessed configures the information system to limit the number of concurrent sessions for all accounts and/or account types to a number of sessions defined in AC-10, CCI 55.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 54.
DoD has defined the account types and/or accounts as all account types and/or accounts. |
Concurrent Session Control |
AC-10 |
AC-10.1 |
Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. |
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
| CCI-000055 |
The organization defines the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type. |
The organization conducting the inspection/assessment obtains and examines the documented maximum number to ensure the organization being inspected/assessed defines the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type.
DoD has determined the maximum number is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type.
The maximum number of concurrent sessions should be defined based upon the systems operational environment and mission needs.
DoD has determined the maximum number is not appropriate to define at the Enterprise level. |
Concurrent Session Control |
AC-10 |
AC-10.2 |
Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. |
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
| CCI-000056 |
The information system retains the session lock until the user reestablishes access using established identification and authentication procedures. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to retain the session lock until the user reestablishes access using established identification and authentication procedures.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 56. |
The organization being inspected/assessed configures the information system to retain the session lock until the user reestablishes access using established identification and authentication procedures.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 56. |
Session Lock |
AC-11 |
AC-11.4 |
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7. |
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures. |
| CCI-000057 |
The information system initiates a session lock after the organization-defined time period of inactivity. |
|
|
|
|
|
|
|
| CCI-000058 |
The information system provides the capability for users to directly initiate session lock mechanisms. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for users to directly initiate session lock mechanisms.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 58. |
The organization being inspected/assessed configures the information system to provide the capability for users to directly initiate session lock mechanisms.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 58. |
Session Lock |
AC-11 |
AC-11.2 |
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7. |
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures. |
| CCI-000059 |
The organization defines the time period of inactivity after which the information system initiates a session lock. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 15 minutes. |
DoD has defined the time period as 15 minutes. |
Session Lock |
AC-11 |
AC-11.3 |
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7. |
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures. |
| CCI-000060 |
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 60. |
The organization being inspected/assessed configures the information system to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 60. |
Session Lock | Pattern-Hiding Displays |
AC-11 (1) |
AC-11(1).1 |
Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. |
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. |
| CCI-000061 |
The organization identifies and defines organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions. |
The organization conducting the inspection/assessment obtains and examines the documented user actions to ensure the organization being inspected/assessed identifies and defines the user actions that can be performed on the information system without identification and authentication.
DoD has determined the user actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed identifies, defines, and documents user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
DoD has determined the user actions are not appropriate to define at the Enterprise level. |
Permitted Actions Without Identification Or Authentication |
AC-14 |
AC-14.1 |
This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none. Related controls: CP-2, IA-2. |
The organization:
a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
| CCI-000062 |
The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives. |
|
|
|
|
|
|
|
| CCI-000232 |
The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed documents the supporting rationale for the actions defined in AC-14, CCI 61 to not require identification and authentication. |
The organization being inspected/assessed documents supporting rationale in the security plan for the actions defined in AC-14, CCI 61 to not require identification and authentication. |
Permitted Actions Without Identification Or Authentication |
AC-14 |
AC-14.2 |
This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none. Related controls: CP-2, IA-2. |
The organization:
a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
| CCI-000264 |
The organization develops a plan of action and milestones for the information system to document the organization^s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. |
The organization conducting the inspection/assessment obtains and examines the security POA&M for compliance with DoDI 8510.01. |
The organization being inspected/assessed will develop a security POA&M in accordance with DoDI 8510.01 Enclosure 6.
POA&M templates are available on the Knowledge Service. |
Plan Of Action And Milestones |
CA-5 |
CA-5.1 |
Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4. |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. |
| CCI-000265 |
The organization defines the frequency with which to update the existing plan of action and milestones for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least every 90 days. |
DoD has defined the frequency as at least every 90 days. |
Plan Of Action And Milestones |
CA-5 |
CA-5.2 |
Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4. |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. |
| CCI-000266 |
The organization updates, on an organization-defined frequency, the existing plan of action and milestones for the information system based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. |
The organization conducting the inspection/assessment obtains and examines current POA&M. The objective is to validate the organization is providing updates to the POA&M at least every 90 days. Review of POA&M without change must be documented (i.e., adding review date to the POA&M header information).
DoD has defined the frequency as at least every 90 days. |
The organization being inspected/assessed will update the POA&M at least every 90 days.
The updates are to be based upon the assessment of the identified vulnerabilities and weaknesses, prioritization of the vulnerabilities and weaknesses, progress being made in addressing and resolving the security weaknesses and vulnerabilities found in programs and systems, and continuous monitoring activities.
DoD has defined the frequency as at least every 90 days. |
Plan Of Action And Milestones |
CA-5 |
CA-5.3 |
Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4. |
The organization:
a. Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. |
| CCI-000267 |
The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is accurate. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed will identify and document the automated mechanisms in use to ensure the security POA&M is accurate. |
Plan Of Action And Milestones | Automation Support For Accuracy / Currency |
CA-5 (1) |
CA-5(1).1 |
|
The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. |
| CCI-000268 |
The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is up to date. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed will identify and document the automated mechanisms in use to ensure the POA&M is up to date. |
Plan Of Action And Milestones | Automation Support For Accuracy / Currency |
CA-5 (1) |
CA-5(1).2 |
|
The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. |
| CCI-000269 |
The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is readily available. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed will identify and document the automated mechanisms in use to ensure the POA&M is readily available. |
Plan Of Action And Milestones | Automation Support For Accuracy / Currency |
CA-5 (1) |
CA-5(1).3 |
|
The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. |
| CCI-000270 |
The organization assigns a senior-level executive or manager as the authorizing official for the information system. |
The organization conducting the inspection/assessment obtains and examines the written appointment memorandum. |
The organization being inspected/assessed will assign a senior-level executive or manager as the official role, and the responsibility, for authorizing the information system(s).
Assignment must be in writing and IAW with DoDI 8510.01 (i.e. Appointment memorandum). |
Security Authorization |
CA-6 |
CA-6.1 |
Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. Related controls: CA-2, CA-7, PM-9, PM-10. |
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization - defined frequency]. |
| CCI-000271 |
The organization ensures the authorizing official authorizes the information system for processing before commencing operations. |
The organization conducting the inspection/assessment obtains and examines the authorization document to ensure the information system is authorized prior to being placed into operational status. |
The organization being inspected/assessed will ensure that an authorization document (e.g. authorization to operate (ATO), interim authorization to operate (IATO)) has been issued by the authorizing official (AO) prior to placing the information system into an operational status. |
Security Authorization |
CA-6 |
CA-6.2 |
Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. Related controls: CA-2, CA-7, PM-9, PM-10. |
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization - defined frequency]. |
| CCI-000272 |
The organization updates the security authorization on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the security authorization documentation to confirm the security authorization has been updated within the last three years, when there was a significant change to the system, or if there was a change to the environment in which the system operates.
DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
The organization being inspected/assessed updates the security authorization at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates.
DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
Security Authorization |
CA-6 |
CA-6.3 |
Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. Related controls: CA-2, CA-7, PM-9, PM-10. |
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization - defined frequency]. |
| CCI-000273 |
The organization defines the frequency with which to update the security authorization. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
DoD has defined the frequency as at least every three years, whenever there is a significant change to the system, or if there is a change to the environment in which the system operates. |
Security Authorization |
CA-6 |
CA-6.4 |
Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. Related controls: CA-2, CA-7, PM-9, PM-10. |
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization - defined frequency]. |
| CCI-000082 |
The organization establishes usage restrictions for organization-controlled mobile devices. |
The organization conducting the inspection/assessment obtains and examines the documented usage restrictions to ensure the organization being inspected/assessed establishes usage restrictions for organization controlled mobile devices. |
The organization being inspected/assessed establishes and documents usage restrictions for organization controlled mobile devices. |
Access Control For Mobile Devices |
AC-19 |
AC-19.1 |
A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. |
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems. |
| CCI-000083 |
The organization establishes implementation guidance for organization-controlled mobile devices. |
The organization conducting the inspection/assessment obtains and examines the documented implementation guidance to ensure the organization being inspected/assessed establishes implementation guidance for organization controlled mobile devices. |
The organization being inspected/assessed establishes and documents implementation guidance for organization controlled mobile devices. |
Access Control For Mobile Devices |
AC-19 |
AC-19.2 |
A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. |
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems. |
| CCI-000084 |
The organization authorizes connection of mobile devices to organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes connection of mobile devices to organizational information systems. |
The organization being inspected/assessed authorizes connection of mobile devices to organizational information systems.
The organization must maintain an audit trail of authorizations. |
Access Control For Mobile Devices |
AC-19 |
AC-19.5 |
A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. |
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems. |
| CCI-000085 |
The organization monitors for unauthorized connections of mobile devices to organizational information systems. |
|
|
|
|
|
|
|
| CCI-000086 |
The organization enforces requirements for the connection of mobile devices to organizational information systems. |
|
|
|
|
|
|
|
| CCI-000087 |
The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction. |
|
|
|
|
|
|
|
| CCI-000088 |
The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. |
|
|
|
|
|
|
|
| CCI-000089 |
The organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. |
|
|
|
|
|
|
|
| CCI-000090 |
The organization restricts the use of writable, removable media in organizational information systems. |
|
|
|
|
|
|
|
| CCI-000091 |
The organization prohibits the use of personally-owned, removable media in organizational information systems. |
|
|
|
|
|
|
|
| CCI-000092 |
The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner. |
|
|
|
|
|
|
|
| CCI-001456 |
The organization defines locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. |
|
|
|
|
|
|
|
| CCI-001457 |
The organization defines inspection and preventative measures to be applied on mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. |
|
|
|
|
|
|
|
| CCI-001458 |
The organization requires that if classified information is found on mobile devices, the incident handling policy be followed. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires that if classified information is found on mobile devices, the incident handling policy is followed. |
The organization being inspected/assessed documents and implements a process to require that if classified information is found on mobile devices, the incident handling policy is followed. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).7 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001330 |
The organization prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official. |
The organization being inspected/assessed documents and implements a process to prohibit the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).1 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001331 |
The organization prohibits connection of unclassified mobile devices to classified information systems. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed prohibits connection of unclassified mobile devices to classified information systems. |
The organization being inspected/assessed documents and implements a process to prohibit connection of unclassified mobile devices to classified information systems. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).2 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001332 |
The organization requires approval from the authorizing official for the connection of unclassified mobile devices to unclassified information systems. |
The organization conducting the inspection/assessment obtains and examines the documented process and the audit trail of approvals to ensure the organization being inspected/assessed requires approval from the authorizing official for the connection of unclassified mobile devices to unclassified information systems. |
The organization being inspected/assessed documents and implements a process to require approval from the authorizing official for the connection of unclassified mobile devices to unclassified information systems.
The organization must maintain an audit trail of approvals. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).3 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001333 |
The organization prohibits use of internal or external modems or wireless interfaces within unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed prohibits use of internal or external modems or wireless interfaces within unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information. |
The organization being inspected/assessed documents and implements a process to prohibit use of internal or external modems or wireless interfaces within unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).4 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001334 |
The organization requires that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices be subject to random reviews and inspections by organization-defined security officials. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices are subject to random reviews and inspections by the ISSM/ISSO.
DoD has defined the security officials as the ISSM/ISSO. |
The organization being inspected/assessed documents and implements a process to require that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices are subject to random reviews and inspections by the ISSM/ISSO.
DoD has defined the security officials as the ISSM/ISSO. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).5 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-001335 |
The organization defines security officials to perform reviews and inspections of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security officials as the ISSM/ISSO. |
DoD has defined the security officials as the ISSM/ISSO. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).6 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-000093 |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems. |
The organization conducting the inspection/assessment obtains and examines the documented terms and conditions to ensure the organization being inspected/assessed establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems. |
The organization being inspected/assessed establishes and documents terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems. |
Use Of External Information Systems |
AC-20 |
AC-20.1 |
External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems.
For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.
This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. Related controls: AC-3, AC-17, AC-19, CA-3, PL-4, SA-9. |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from external information systems; and
b. Process, store, or transmit organization-controlled information using external information systems. |
| CCI-000094 |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process organization-controlled information using the external information systems. |
|
|
|
|
|
|
|
| CCI-000095 |
The organization prohibits authorized individuals from using an external information system to access the information system except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
|
|
|
|
|
|
|
| CCI-000096 |
The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization has approved information system connection or processing agreements with the organizational entity hosting the external information system. |
|
|
|
|
|
|
|
| CCI-000097 |
The organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems. |
The organization conducting the inspection/assessment obtains and examines |
The organization being inspected/assessed |
Use Of External Information Systems | Portable Storage Devices |
AC-20 (2) |
AC-20(2).1 |
Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. |
The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. |
| CCI-001465 |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to store organization-controlled information using the external information systems. |
|
|
|
|
|
|
|
| CCI-001466 |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to transmit organization-controlled information using the external information systems. |
|
|
|
|
|
|
|
| CCI-001467 |
The organization prohibits authorized individuals from using an external information system to process organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
|
|
|
|
|
|
|
| CCI-001468 |
The organization prohibits authorized individuals from using an external information system to store organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
|
|
|
|
|
|
|
| CCI-001469 |
The organization prohibits authorized individuals from using an external information system to transmit organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
|
|
|
|
|
|
|
| CCI-000098 |
The organization facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information circumstances where user discretion is required. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed determines whether access authorizations assigned to the sharing partner match the access restrictions on the information for information circumstances defined in AC-21, CCI 1470 where user discretion is required. |
The organization being inspected/assessed documents and implements a process to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for information circumstances defined in AC-21, CCI 1470 where user discretion is required. |
Information Sharing |
AC-21 |
AC-21.1 |
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions. |
| CCI-000099 |
The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 99. |
The organization being inspected/assessed configures the information system to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 99. |
Information Sharing | Automated Decision Support |
AC-21 (1) |
AC-21(1).1 |
|
The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. |
| CCI-001470 |
The organization defines information sharing circumstances where user discretion is required. |
The organization conducting the inspection/assessment obtains and examines the documented information sharing circumstances to ensure the organization being inspected/assessed defines information sharing circumstances where user discretion is required.
DoD has determined the information sharing circumstances are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information sharing circumstances where user discretion is required.
DoD has determined the information sharing circumstances are not appropriate to define at the Enterprise level. |
Information Sharing |
AC-21 |
AC-21.2 |
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions. |
| CCI-001471 |
The organization employs organization-defined automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions. |
The organization conducting the inspection/assessment obtains and examines the documented process defined per AC-21, CCI 1472 to ensure the organization being inspected/assessed assists users in making information sharing/collaboration decisions. |
The organization being inspected/assessed implements the process defined in AC-21, CCI 1472 to assist users in making information sharing/collaboration decisions. |
Information Sharing |
AC-21 |
AC-21.3 |
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions. |
| CCI-001472 |
The organization defines the automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions. |
The organization conducting the inspection/assessment obtains and examines the documented automated mechanisms to ensure the organization being inspected/assessed defines the automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.
DoD has determined the automated mechanisms or manual processes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.
DoD has determined the automated mechanisms or manual processes are not appropriate to define at the Enterprise level. |
Information Sharing |
AC-21 |
AC-21.4 |
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions. |
| CCI-000106 |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness Training |
AT-2 |
AT-2.2 |
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000107 |
The organization includes practical exercises in security awareness training that simulate actual cyber attacks. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness | Practical Exercises |
AT-2 (1) |
AT-2(1).1 |
Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Related controls: CA-2, CA-7, CP-4, IR-3. |
The organization includes practical exercises in security awareness training that simulate actual cyber attacks. |
| CCI-000112 |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness Training |
AT-2 |
AT-2.3 |
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-001479 |
The organization provides refresher security awareness training to all information system users (including managers, senior executives, and contractors) in accordance with the organization-defined frequency. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA's DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. |
Security Awareness Training |
AT-2 |
AT-2.4 |
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-001480 |
The organization defines the frequency for providing refresher security awareness training to all information system users (including managers, senior executives, and contractors). |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level (DoDD 8570.01).
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Security Awareness Training |
AT-2 |
AT-2.1 |
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. |
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000113 |
The organization documents individual information system security training activities, including basic security awareness training and specific information system security training. |
The organization conducting the inspection/assessment obtains and examines the security awareness training activities to ensure the organization being inspected/assessed documents training activities to include basic security awareness training (per AT-2) and role-based security related training (per AT-3) IAW DoD 8570.01M. |
The organization being inspected/assessed identifies and documents training activities to include basic security awareness training (per AT-2) and role-based security related training (per AT-3) IAW DoD 8570.01M. |
Security Training Records |
AT-4 |
AT-4.1 |
Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period]. |
| CCI-000114 |
The organization monitors individual information system security training activities, including basic security awareness training and specific information system security training. |
The organization conducting the inspection/assessment obtains and examines records identifying personnel who have received training and the date the training was received |
The organization being inspected/assessed maintains and monitors records identifying personnel who have received training and the date the training was received |
Security Training Records |
AT-4 |
AT-4.2 |
Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period]. |
| CCI-001336 |
The organization retains individual training records for an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines training records to ensure records have been maintained for at least 5 years or 5 years after completion of a specific training program.
DoD has defined the frequency as at least 5 years or 5 years after completion of a specific training program. |
The organization being inspected/assessed will maintain records training records for at least 5 years or 5 years after completion of a specific training program.
DoD has defined the frequency as at least 5 years or 5 years after completion of a specific training program. |
Security Training Records |
AT-4 |
AT-4.3 |
Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period]. |
| CCI-001337 |
The organization defines a time period for retaining individual training records. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least 5 years or 5 years after completion of a specific training program. |
DoD has defined the frequency as at least 5 years or 5 years after completion of a specific training program. |
Security Training Records |
AT-4 |
AT-4.4 |
Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. |
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period]. |
| CCI-000115 |
The organization establishes contact with selected groups and associations within the security community to facilitate ongoing security education and training; to stay up to date with the latest recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents. |
|
|
|
|
|
|
|
| CCI-000116 |
The organization institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training; to stay up to date with the latest recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents. |
|
|
|
|
|
|
|
| CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes what type of event occurred. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes what type of event occurred.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 130. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes what type of event occurred
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 130. |
Content Of Audit Records |
AU-3 |
AU-3.1 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-000131 |
The information system generates audit records containing information that establishes when an event occurred. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes when an event occurred. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes when an event occurred.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 131. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes when an event occurred
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 131. |
Content Of Audit Records |
AU-3 |
AU-3.2 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes where the event occurred. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes where the event occurred.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 132. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes where the event occurred
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 132. |
Content Of Audit Records |
AU-3 |
AU-3.3 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes the source of the event. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes the source of the event.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 133. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes the source of the event.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 133. |
Content Of Audit Records |
AU-3 |
AU-3.4 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes the outcome of the event. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes the outcome of the event.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 134. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes the outcome of the event.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 134. |
Content Of Audit Records |
AU-3 |
AU-3.5 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing the organization defined additional, more detailed information as defined in AU-3 (1), CCI 1488 that is to be included in the audit records. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain organization defined additional, more detailed information that is to be included in the audit records.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 135. |
The organization being inspected/assessed configures the information system to generate audit records containing the organization defined additional, more detailed information as defined in AU-3 (1), CCI 1488 that is to be included in the audit records.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 135. |
Content Of Audit Records | Additional Audit Information |
AU-3 (1) |
AU-3(1).1 |
Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. |
The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. |
| CCI-000136 |
The organization centrally manages the content of audit records generated by organization-defined information system components. |
|
|
|
|
|
|
|
| CCI-001487 |
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate audit records containing information that establishes the identity of any individuals or subjects associated with the event. The organization conducting the inspection/assessment reviews the audit records generated to ensure that the records contain information that establishes the identity of any individuals or subjects associated with the event.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1487. |
The organization being inspected/assessed configures the information system to generate audit records containing information that establishes the identity of any individuals or subjects associated with the event.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1487. |
Content Of Audit Records |
AU-3 |
AU-3.6 |
Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. |
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| CCI-001488 |
The organization defines additional, more detailed information to be included in the audit records. |
The organization conducting the inspection/assessment obtains and examines the documented list of additional more detailed information to be included in the audit records to ensure that:
1. The list is defined; and
2. The list includes full-text recording of privileged commands or the individual identities of group account users.
DoD has determined that additional, more detailed information must include, at a minimum, full-text recording of privileged commands or the individual identities of group account users. DoD has determined that it is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents additional, more detailed information to be included in the audit records. The additional information must include at a minimum, full-text recording of privileged commands or the individual identities of group account users. The additional information must provide sufficient detail to reconstruct events to determine cause of compromise and magnitude of damage, malfunction, or security violation.
DoD has determined that additional, more detailed information must include, at a minimum, full-text recording of privileged commands or the individual identities of group account users. DoD has determined that all additional, more detailed information is not appropriate to define at the Enterprise level. |
Content Of Audit Records | Additional Audit Information |
AU-3 (1) |
AU-3(1).2 |
Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. |
The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. |
| CCI-001489 |
The organization defines information system components for which generated audit records are centrally managed by the organization. |
|
|
|
|
|
|
|
| CCI-000137 |
The organization allocates audit record storage capacity. |
|
|
|
|
|
|
|
| CCI-000138 |
The organization configures auditing to reduce the likelihood of storage capacity being exceeded. |
|
|
|
|
|
|
|
| CCI-000148 |
The organization reviews and analyzes information system audit records on an organization-defined frequency for indications of organization-defined inappropriate or unusual activity. |
The organization conducting the inspection/assessment obtains and examines the documented process for audit trail reviews as well as the audit trail showing the reviews to ensure the organization being inspected/assessed reviews and analyzes information system audit records every seven days or more frequently if required by an alarm event or anomaly for indications of activity defined in AU-6, CCI 1862.
DoD has defined the frequency as every seven days or more frequently if required by an alarm event or anomaly. |
The organization being inspected/assessed documents and implements a process to review and analyze information system audit records every seven days or more frequently if required by an alarm event or anomaly for indications of activity defined in AU-6, CCI 1862.
The organization must maintain an audit trail of the reviews.
DoD has defined the frequency as every seven days or more frequently if required by an alarm event or anomaly. |
Audit Review, Analysis, And Reporting |
AU-6 |
AU-6.1 |
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. |
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles]. |
| CCI-000149 |
The organization reports any findings to organization-defined personnel or roles for indications of organization-defined inappropriate or unusual activity. |
The organization conducting the inspection/assessment obtains and examines the documented process for reporting findings as well as a sampling of historical reports to ensure the organization being inspected/assessed reports any findings of inappropriate or unusual activity as defined in AU-6, CCI 1862 to at a minimum, the ISSO and ISSM.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed documents and implements a process for reporting any findings of inappropriate or unusual activity as defined in AU-6, CCI 1862 to at a minimum, the ISSO and ISSM.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Audit Review, Analysis, And Reporting |
AU-6 |
AU-6.4 |
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. |
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles]. |
| CCI-000150 |
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. |
|
|
|
|
|
|
|
| CCI-000151 |
The organization defines the frequency for the review and analysis of information system audit records for organization-defined inappropriate or unusual activity. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every seven days or more frequently if required by an alarm event or anomaly. |
DoD has defined the frequency as every seven days or more frequently if required by an alarm event or anomaly. |
Audit Review, Analysis, And Reporting |
AU-6 |
AU-6.2 |
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. |
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles]. |
| CCI-000152 |
The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. |
|
|
|
|
|
|
|
| CCI-000153 |
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of analysis to ensure the organization being inspected/assessed analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. |
The organization being inspected/assessed documents and implements a process to analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
The organization must maintain a record of the analysis. |
Audit Review, Analysis, And Reporting | Correlate Audit Repositories |
AU-6 (3) |
AU-6(3).1 |
Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports cross-organization awareness. Related controls: AU-12, IR-4. |
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. |
| CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to provide a capability to centrally review and analyze audit records from multiple components within the system.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 154. |
The organization being inspected/assessed configures the information system to provide a capability to centrally review and analyze audit records from multiple components within the system.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 154. |
Audit Review, Analysis, And Reporting | Central Review And Analysis |
AU-6 (4) |
AU-6(4).1 |
Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Related controls: AU-2, AU-12. |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-000155 |
The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, and network monitoring information to further enhance the ability to identify inappropriate or unusual activity. |
|
|
|
|
|
|
|
| CCI-001344 |
The organization specifies the permitted actions for each authorized information system process, role, and/or user in the audit and accountability policy. |
|
|
|
|
|
|
|
| CCI-001345 |
The organization employs automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications. |
|
|
|
|
|
|
|
| CCI-001346 |
The organization defines a list of inappropriate or unusual activities with security implications that are to result in alerts to security personnel. |
|
|
|
|
|
|
|
| CCI-001347 |
The organization performs, in a physically dedicated information system, full-text analysis of privileged functions executed. |
|
|
|
|
|
|
|
| CCI-001491 |
The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
The organization conducting the inspection/assessment obtains and examines the documented process and correlated results to ensure the organization being inspected/assessed correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
The organization being inspected/assessed will document and implement a process to correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring |
AU-6 (6) |
AU-6(6).1 |
The correlation of physical audit information and audit logs from information systems may assist organizations in identifying examples of suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual's identity for logical access to certain information systems with the additional physical security information that the individual was actually present at the facility when the logical access occurred, may prove to be useful in investigations. |
The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
| CCI-000156 |
The information system provides an audit reduction capability. |
|
|
|
|
|
|
|
| CCI-000157 |
The information system provides a report generation capability. |
|
|
|
|
|
|
|
| CCI-000158 |
The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provides the capability to process audit records for events of interest based on audit fields within audit records as defined in AU-7 (1), CCI 1883.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 158. |
The organization being inspected/assessed must employ information systems that provide the capability to process audit records for events of interest based on audit fields within audit records defined in AU-7 (1), CCI 1883.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 158. |
Audit Reduction And Report Generation | Automatic Processing |
AU-7 (1) |
AU-7(1).1 |
Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. |
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]. |
| CCI-000159 |
The information system uses internal system clocks to generate time stamps for audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to use internal system clocks to generate time stamps for audit records.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 159. |
The organization being inspected/assessed configures the information system to use internal system clocks to generate time stamps for audit records.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 159. |
Time Stamps |
AU-8 |
AU-8.1 |
Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. |
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. |
| CCI-000160 |
The information system synchronizes internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source. |
|
|
|
|
|
|
|
| CCI-000161 |
The organization defines the frequency for the synchronization of internal information system clocks. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 24 hours for networked systems. |
DoD has defined the frequency as every 24 hours for networked systems. |
Time Stamps | Synchronization With Authoritative Time Source |
AU-8 (1) |
AU-8(1).1 |
This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
The information system:
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
| CCI-001492 |
The organization defines an authoritative time source for the synchronization of internal information system clocks. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the authoritative time source as an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS). |
DoD has defined the authoritative time source as an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS). |
Time Stamps | Synchronization With Authoritative Time Source |
AU-8 (1) |
AU-8(1).2 |
This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
The information system:
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
| CCI-000166 |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed protects against an individual falsely denying having performed actions to be covered by non-repudiation defined in DoDI 8520.02 and DoDI 8520.03.
DoDI 8520.02 and DoDI 8520.03 meet the DoD requirement to define the actions to be covered by non-repudiation.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 166. |
The organization being inspected/assessed configures the information system to protect against an individual falsely denying having performed actions to be covered by non-repudiation defined in DoDI 8520.02 and DoDI 8520.03.
DoDI 8520.02 and DoDI 8520.03 meet the DoD requirement to define the actions to be covered by non-repudiation.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 166. |
Non-Repudiation |
AU-10 |
AU-10.1 |
Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts). Related controls: SC-12, SC-8, SC-13, SC-16, SC-17, SC-23. |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. |
| CCI-001338 |
The information system associates the identity of the information producer with the information. |
|
|
|
|
|
|
|
| CCI-001339 |
The information system validates the binding of the information producer's identity to the information. |
|
|
|
|
|
|
|
| CCI-001340 |
The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1340. |
The organization being inspected/assessed configures the information system to maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1340. |
Non-Repudiation | Chain Of Custody |
AU-10 (3) |
AU-10(3).1 |
Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each person who handled the evidence, the date and time it was collected or transferred, and the purpose for the transfer. If the reviewer is a human or if the review function is automated but separate from the release/transfer function, the information system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, this control enhancement provides organizational officials the means to identify who reviewed and released the information. In the case of automated reviews, this control enhancement ensures that only approved review functions are employed. Related controls: AC-4, AC-16. |
The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. |
| CCI-001341 |
The information system validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between organization-defined security domains. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to validate the binding of the information reviewers identity at the transfer or release points between security domains defined in AU-10 (4), CCI 1907. |
The organization being inspected/assessed configures the information system to validate the binding of the information reviewers identity at the transfer or release points between security domains defined in AU-10 (4), CCI 1907. |
Non-Repudiation | Validate Binding Of Information Reviewer Identity |
AU-10 (4) |
AU-10(4).1 |
This control enhancement prevents the modification of information between review and transfer/release. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine validations are in response to user requests or generated automatically. Related controls: AC-4, AC-16. |
The information system:
(a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001342 |
The organization employs either FIPS-validated or NSA-approved cryptography to implement digital signatures. |
|
|
|
|
|
|
|
| CCI-001148 |
The organization employs FIPS-validated or NSA-approved cryptography to implement digital signatures. |
|
|
|
|
|
|
|
| CCI-000167 |
The organization retains audit records for an organization-defined time period to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. |
The organization conducting the inspection/assessment reviews the information system audit records and any other relevant documents or records to ensure the organization being inspected/assessed retains its audit records for 5 years for SAMI; otherwise for at least 1 year.
DoD has defined the time period as 5 years for SAMI; otherwise for at least 1 year. |
The organization being inspected/assessed will take action to ensure it retains audit records for 5 years for SAMI; otherwise for at least 1 year to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
DoD has defined the time period as 5 years for SAMI; otherwise for at least 1 year. |
Audit Record Retention |
AU-11 |
AU-11.1 |
Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP-6. |
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. |
| CCI-000168 |
The organization defines the time period for retention of audit records, which is consistent with its records retention policy, to provide support for after-the-fact investigations of security incidents and meet regulatory and organizational information retention requirements. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 5 years for SAMI; otherwise for at least 1 year. |
DoD has defined the time period as 5 years for SAMI; otherwise for at least 1 year. |
Audit Record Retention |
AU-11 |
AU-11.2 |
Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP-6. |
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. |
| CCI-000206 |
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 206. |
The organization being inspected/assessed configures the information system to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 206. |
Authenticator Feedback |
IA-6 |
IA-6.1 |
The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it. Related control: PE-18. |
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized
individuals. |
| CCI-000209 |
The organization develops the results of information security measures of performance. |
The Federal Information Systems Management Act (FISMA) meets the DoD requirements for information security performance measures of performance.
DoD organizations are automatically compliant with this CCI as they are covered at the DoD level by FISMA. |
The Federal Information Systems Management Act (FISMA) meets the DoD requirements for information security performance measures of performance. |
Information Security Measures Of Performance |
PM-6 |
PM-6.1 |
Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security program and the security controls employed in support of the program. |
The organization develops, monitors, and reports on the results of information security measures of performance. |
| CCI-000210 |
The organization monitors the results of information security measures of performance. |
The Federal Information Systems Management Act (FISMA) meets the DoD requirements for information security performance measures of performance.
DoD organizations are automatically compliant with this CCI as they are covered at the DoD level by FISMA. |
The Federal Information Systems Management Act (FISMA) meets the DoD requirements for information security performance measures of performance. |
Information Security Measures Of Performance |
PM-6 |
PM-6.2 |
Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security program and the security controls employed in support of the program. |
The organization develops, monitors, and reports on the results of information security measures of performance. |
| CCI-000211 |
The organization reports on the results of information security measures of performance. |
The organization conducting the inspection/assessment obtains and examines FISMA reporting documentation. |
The organization being inspected/assessed reports the results of information security measures of performance IAW FISMA reporting guidance. |
Information Security Measures Of Performance |
PM-6 |
PM-6.3 |
Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security program and the security controls employed in support of the program. |
The organization develops, monitors, and reports on the results of information security measures of performance. |
| CCI-000212 |
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. |
The GIG IA Architecture meets the DoD requirements for enterprise architecture.
DoD components are automatically compliant with this CCI as they covered at the DoD level. |
The GIG IA Architecture meets the DoD requirements for enterprise architecture.
DoD components are automatically compliant with this CCI as they covered at the DoD level. |
Enterprise Architecture |
PM-7 |
PM-7.1 |
The enterprise architecture developed by the organization is aligned with the Federal Enterprise Architecture. The integration of information security requirements and associated security controls into the organization's enterprise architecture helps to ensure that security considerations are addressed by organizations early in the system development life cycle and are directly and explicitly related to the organization's mission/business processes. This process of security requirements integration also embeds into the enterprise architecture, an integral information security architecture consistent with organizational risk management and information security strategies. For PM-7, the information security architecture is developed at a system-of-systems level (organization-wide), representing all of the organizational information systems. For PL-8, the information security architecture is developed at a level representing an individual information system but at the same time, is consistent with the information security architecture defined for the organization. Security requirements and security control integration are most effectively accomplished through the application of the Risk Management Framework and supporting security standards and guidelines. The Federal Segment Architecture Methodology provides guidance on integrating information security requirements and security controls into enterprise architectures. Related controls: PL-2, PL-8, PM-11, RA-2, SA-3. |
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
|
| CCI-000078 |
The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. |
DoD organizations are automatically compliant with this CCI as they are covered by the appointment of the DoD SISO. |
The Deputy DoD CIO for Cyber Security is the DoD Senior Information Security Officer (SISO), appointed in writing with the mission and resources to coordinate, develop, implement and maintain a DoD-wide information security program. |
Senior Information Security Officer |
PM-2 |
PM-2.1 |
The security officer described in this control is an organizational official. For a federal agency (as defined in applicable federal laws, Executive Orders, directives, policies, or regulations) this official is the Senior Agency Information Security Officer. Organizations may also refer to this official as the Senior Information Security Officer or Chief Information Security Officer. |
The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. |
| CCI-000080 |
The organization ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement. |
The organization being inspected/assessed documents and implements a process to ensure that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement. |
Information Security Resources |
PM-3 |
PM-3.1 |
Organizations consider establishing champions for information security efforts and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process. Related controls: PM-4, SA-2. |
The organization:
a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
c. Ensures that information security resources are available for expenditure as planned. |
| CCI-000081 |
The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs a business case/Exhibit 300/Exhibit 53 to record the resources required. |
The organization being inspected/assessed documents and implements a process to employ a business case/Exhibit 300/Exhibit 53 to record the resources required. |
Information Security Resources |
PM-3 |
PM-3.2 |
Organizations consider establishing champions for information security efforts and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process. Related controls: PM-4, SA-2. |
The organization:
a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
c. Ensures that information security resources are available for expenditure as planned. |
| CCI-000141 |
The organization ensures that information security resources are available for expenditure as planned. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensure that information security resources are available for expenditure as planned. |
The organization being inspected/assessed documents and implements a process to ensure that information security resources are available for expenditure as planned. |
Information Security Resources |
PM-3 |
PM-3.3 |
Organizations consider establishing champions for information security efforts and as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process. Related controls: PM-4, SA-2. |
The organization:
a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
c. Ensures that information security resources are available for expenditure as planned. |
| CCI-000142 |
The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to maintain a process for plans of action and milestones for the security program.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to maintain a process for plans of action and milestones for the security program.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
Plan Of Action And Milestones Process |
PM-4 |
PM-4.1 |
The plan of action and milestones is a key document in the information security program and is subject to federal reporting requirements established by OMB. With the increasing emphasis on organization-wide risk management across all three tiers in the risk management hierarchy (i.e., organization, mission/business process, and information system), organizations view plans of action and milestones from an organizational perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from security control assessments and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. Related control: CA-5. |
The organization:
a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
1. Are developed and maintained;
2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with OMB FISMA reporting requirements.
b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-000170 |
The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to maintain a process to document the remedial information security actions that mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
DoDI 8510.01 and the Knowledge Service meet the DoD requirements to maintain a process to document the remedial information security actions that mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8510.01 and the Knowledge Service. |
Plan Of Action And Milestones Process |
PM-4 |
PM-4.3 |
The plan of action and milestones is a key document in the information security program and is subject to federal reporting requirements established by OMB. With the increasing emphasis on organization-wide risk management across all three tiers in the risk management hierarchy (i.e., organization, mission/business process, and information system), organizations view plans of action and milestones from an organizational perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from security control assessments and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. Related control: CA-5. |
The organization:
a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
1. Are developed and maintained;
2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with OMB FISMA reporting requirements.
b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| CCI-000207 |
The organization develops and maintains an inventory of its information systems. |
DITPR is the inventory for all DoD information systems.
The organization conducting the inspection/assessment obtains and examines the inventory of information systems via DITPR to ensure the organization being inspected/assessed registers their information systems in DITPR. |
DITPR is the inventory for all DoD information systems.
The organization being inspected/assessed must register and maintain their information systems in DITPR.
|
Information System Inventory |
PM-5 |
PM-5.1 |
This control addresses the inventory requirements in FISMA. OMB provides guidance on developing information systems inventories and associated reporting requirements. For specific information system inventory reporting requirements, organizations consult OMB annual FISMA reporting guidance. |
The organization develops and maintains an inventory of its information systems. |
| CCI-000227 |
The organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems. |
DoD Risk Management Framework meets the requirement for a comprehensive organizational risk strategy.
DoD components are automatically compliant with this CCI because they are covered by DoD Risk Management Framework (DoDI 8510.01). |
DoD Risk Management Framework meets the requirement for a comprehensive organizational risk strategy.
DoD components are automatically compliant with this CCI because they are covered by the DoD Risk Management Framework (DoDI 8510.01). |
Risk Management Strategy |
PM-9 |
PM-9.1 |
An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization's risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. Related control: RA-3. |
The organization:
a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
b. Implements the risk management strategy consistently across the organization; and
c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. |
| CCI-000228 |
The organization implements a comprehensive strategy to manage risk to organization operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems consistently across the organization. |
DoD Risk Management Framework meets the requirement for a comprehensive organizational risk strategy.
DoD components are automatically compliant with this CCI because they are covered by DoD Risk Management Framework (DoDI 8510.01). |
DoD Risk Management Framework meets the requirement for a comprehensive organizational risk strategy.
DoD components are automatically compliant with this CCI because they are covered by the DoD Risk Management Framework (DoDI 8510.01). |
Risk Management Strategy |
PM-9 |
PM-9.2 |
An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization's risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. Related control: RA-3. |
The organization:
a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
b. Implements the risk management strategy consistently across the organization; and
c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. |
| CCI-000229 |
The organization documents the security state of organizational information systems and the environments in which those systems operate through security authorization processes. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
Security Authorization Process |
PM-10 |
PM-10.1 |
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation. Related control: CA-6. |
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| CCI-000230 |
The organization tracks the security state of organizational information systems and the environments in which those systems operate through security authorization processes. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
Security Authorization Process |
PM-10 |
PM-10.2 |
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation. Related control: CA-6. |
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| CCI-000231 |
The organization reports the security state of organizational information systems and the environments in which those systems operate through security authorization processes. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to manage the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
Security Authorization Process |
PM-10 |
PM-10.3 |
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation. Related control: CA-6. |
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| CCI-000233 |
The organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process. |
DoDI 8510.01 meets the DoD requirement to designate roles and responsibilities for the risk management process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to designate roles and responsibilities for the risk management process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
Security Authorization Process |
PM-10 |
PM-10.4 |
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation. Related control: CA-6. |
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| CCI-000234 |
The organization fully integrates the security authorization processes into an organization-wide risk management program. |
DoDI 8510.01 meets the DoD requirement to fully integrate the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to fully integrate the security authorization process.
DoD components are automatically compliant with this CCI because they are covered at the DoD level, DoDI 8510.01. |
Security Authorization Process |
PM-10 |
PM-10.5 |
Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation. Related control: CA-6. |
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| CCI-000235 |
The organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. |
DoDI 8510.01 meets the DoD requirement to define mission/business processes.
DoD components are automatically complaint with this CCI as they are covered at the DoD level, DoDI 8510.01. |
DoDI 8510.01 meets the DoD requirement to define mission/business processes.
DoD components are automatically complaint with this CCI as they are covered at the DoD level, DoDI 8510.01. |
Mission/Business Process Definition |
PM-11 |
PM-11.1 |
Information protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, or the Nation through the compromise of information (i.e., loss of confidentiality, integrity, or availability). Information protection needs are derived from the mission/business needs defined by the organization, the mission/business processes selected to meet the stated needs, and the organizational risk management strategy. Information protection needs determine the required security controls for the organization and the associated information systems supporting the mission/business processes. Inherent in defining an organization's information protection needs is an understanding of the level of adverse impact that could result if a compromise of information occurs. The security categorization process is used to make such potential impact determinations. Mission/business process definitions and associated information protection requirements are documented by the organization in accordance with organizational policy and procedure. Related controls: PM-7, PM-8, RA-2. |
The organization:
a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. |
| CCI-000236 |
The organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs are obtained. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the security categorization has been documented IAW CNSSI 1253. |
The organization being inspected/asssessed determines information protection needs IAW CNSSI 1253 and as identified in RA-2. |
Mission/Business Process Definition |
PM-11 |
PM-11.2 |
Information protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, or the Nation through the compromise of information (i.e., loss of confidentiality, integrity, or availability). Information protection needs are derived from the mission/business needs defined by the organization, the mission/business processes selected to meet the stated needs, and the organizational risk management strategy. Information protection needs determine the required security controls for the organization and the associated information systems supporting the mission/business processes. Inherent in defining an organization's information protection needs is an understanding of the level of adverse impact that could result if a compromise of information occurs. The security categorization process is used to make such potential impact determinations. Mission/business process definitions and associated information protection requirements are documented by the organization in accordance with organizational policy and procedure. Related controls: PM-7, PM-8, RA-2. |
The organization:
a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. |
| CCI-001460 |
The organization monitors organization-defined open source information and/or information sites per organization-defined frequency for evidence of unauthorized exfiltration or disclosure of organizational information. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of monitoring activity to ensure the organization being inspected/assessed monitors open source information and/or information sites defined in AU-13, CCI 1915 for evidence of unauthorized exfiltration or disclosure of organizational information on a frequency defined in AU-13, CCI 1461. |
The organization being inspected/assessed documents and implements a process to monitor open source information and/or information sites defined in AU-13, CCI 1915 for evidence of unauthorized exfiltration or disclosure of organizational information on a frequency defined in AU-13, CCI 1461.
The organization must maintain an audit trail of monitoring activity. |
Monitoring For Information Disclosure |
AU-13 |
AU-13.1 |
Open source information includes, for example, social networking sites. Related controls: PE-3, SC-7. |
The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information. |
| CCI-001461 |
The organization defines a frequency for monitoring open source information and/or information sites for evidence of unauthorized exfiltration or disclosure of organizational information. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency for monitoring open source information and/or information sites for evidence of unauthorized exfiltration or disclosure of organizational information.
DoD has determined that the frequency should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
The organization being inspected/assessed defines and documents the frequency for monitoring open source information and/or information sites for evidence of unauthorized exfiltration or disclosure of organizational information.
DoD has determined that the frequency should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
Monitoring For Information Disclosure |
AU-13 |
AU-13.2 |
Open source information includes, for example, social networking sites. Related controls: PE-3, SC-7. |
The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information. |
| CCI-000338 |
The organization defines physical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines physical access restrictions associated with changes to the information system. |
The organization being inspected/assessed defines and documents in the configuration management policy, physical access restrictions associated with changes to the information system. |
Access Restrictions For Change |
CM-5 |
CM-5.1 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000339 |
The organization documents physical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed documents physical access restrictions associated with changes to the information system. |
The organization being inspected/assessed documents, in the configuration management policy, physical access restrictions associated with changes to the information system. |
Access Restrictions For Change |
CM-5 |
CM-5.2 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000340 |
The organization approves physical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of approvals to ensure the organization being inspected/assessed approves physical access restrictions associated with changes to the information system. |
The organization being inspected/assessed documents and implements a process to approve physical access restrictions associated with changes to the information system.
The organization must maintain an audit trail of approvals. |
Access Restrictions For Change |
CM-5 |
CM-5.3 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000341 |
The organization enforces physical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment the documented process to ensure the organization being inspected/assessed enforces physical access restrictions associated with changes to the information system as documented in the configuration management policy. |
The organization being inspected/assessed documents and implements a process to enforce physical access restrictions associated with changes to the information system. |
Access Restrictions For Change |
CM-5 |
CM-5.4 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000342 |
The organization defines logical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines logical access restrictions associated with changes to the information system. |
The organization being inspected/assessed defines and documents in the configuration management policy, logical access restrictions associated with changes to the information system. |
Access Restrictions For Change |
CM-5 |
CM-5.5 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000343 |
The organization documents logical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed documents logical access restrictions associated with changes to the information system. |
The organization being inspected/assessed documents, in the configuration management policy, logical access restrictions associated with changes to the information system. |
Access Restrictions For Change |
CM-5 |
CM-5.6 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000344 |
The organization approves logical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of approvals to ensure the organization being inspected/assessed approves logical access restrictions associated with changes to the information system. |
The organization being inspected/assessed documents and implements a process to approve logical access restrictions associated with changes to the information system.
The organization must maintain an audit trail of approvals. |
Access Restrictions For Change |
CM-5 |
CM-5.7 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000345 |
The organization enforces logical access restrictions associated with changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the logical access audit trail to ensure the organization being inspected/assessed enforces logical access restrictions associated with changes to the information system as documented in the configuration management policy. |
The organization being inspected/assessed documents and implements a process to enforce logical access restrictions associated with changes to the information system.
The information system must maintain an audit trail of logical access to the information system pertaining to information system changes. |
Access Restrictions For Change |
CM-5 |
CM-5.8 |
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. |
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CCI-000346 |
The organization employs automated mechanisms to enforce access restrictions. |
|
|
|
|
|
|
|
| CCI-000347 |
The organization employs automated mechanisms to support auditing of the enforcement actions. |
|
|
|
|
|
|
|
| CCI-000348 |
The organization defines a frequency with which to conduct reviews of information system changes. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems. |
DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems. |
Access Restrictions For Change | Review System Changes |
CM-5 (2) |
CM-5(2).1 |
Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8. |
The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
| CCI-000349 |
The organization reviews information system changes per organization-defined frequency to determine whether unauthorized changes have occurred. |
The organization conducting the inspection/assessment obtains and examines the documented process for information system change review as well as the audit trail of reviews to ensure the organization being inspected/assessed reviews IS changes every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems to determine whether unauthorized changes have occurred.
DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems. |
The organization being inspected/assessed documents in the configuration management policy and implements a process to review information system changes every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems to determine whether unauthorized changes have occurred.
The organization must maintain this review as an audit trail.
DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems.
|
Access Restrictions For Change | Review System Changes |
CM-5 (2) |
CM-5(2).2 |
Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8. |
The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
| CCI-000350 |
The organization reviews information system changes upon organization-defined circumstances to determine whether unauthorized changes have occurred. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reviews to ensure the organization being inspected/assessed reviews the information system changes when there is an incident or when planned changes have been performed to determine whether unauthorized changes have occurred.
DoD has defined the circumstances as when there is an incident or when planned changes have been performed. |
The organization being inspected/assessed documents and implements a process to review the information system changes when there is an incident or when planned changes have been performed to determine whether unauthorized changes have occurred.
The organization must maintain this review as an audit trail.
DoD has defined the circumstances as when there is an incident or when planned changes have been performed. |
Access Restrictions For Change | Review System Changes |
CM-5 (2) |
CM-5(2).3 |
Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8. |
The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
| CCI-000351 |
The organization defines critical software programs that the information system will prevent from being installed if such software programs are not signed with a recognized and approved certificate. |
|
|
|
|
|
|
|
| CCI-000352 |
The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization. |
|
|
|
|
|
|
|
| CCI-000353 |
The organization defines information system components requiring enforcement of a dual authorization for information system changes. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components requiring enforcement of a dual authorization for information system changes.
DoD has determined to the information system components are not appropriate to define at the Enterprise level. |
The organizationg being inspected/assessed defines and documents information system components requiring enforcement of a dual authorization for information system changes.
DoD has determined to the information system components are not appropriate to define at the Enterprise level. |
Access Restrictions For Change | Dual Authorization |
CM-5 (4) |
CM-5(4).1 |
Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control. Related controls: AC-5, CM-3. |
The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]. |
| CCI-000354 |
The organization enforces dual authorization for changes to organization-defined information system components. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed enforces dual authorization for changes to information system components defined in CM-5 (4), CCI 353. |
The organization being inspected/assessed documents and implements a process to enforce dual authorization for changes to information system components defined in CM-5 (4), CCI 353. |
Access Restrictions For Change | Dual Authorization |
CM-5 (4) |
CM-5(4).2 |
Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control. Related controls: AC-5, CM-3. |
The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]. |
| CCI-000355 |
The organization limits information system developer/integrator privileges to change hardware components directly within a production environment. |
|
|
|
|
|
|
|
| CCI-000356 |
The organization limits information system developer/integrator privileges to change software components directly within a production environment. |
|
|
|
|
|
|
|
| CCI-000357 |
The organization limits information system developer/integrator privileges to change firmware components directly within a production environment. |
|
|
|
|
|
|
|
| CCI-000358 |
The organization limits information system developer/integrator privileges to change system information directly within a production environment. |
|
|
|
|
|
|
|
| CCI-000359 |
The organization defines the frequency to review information system developer/integrator privileges. |
|
|
|
|
|
|
|
| CCI-000360 |
The organization defines the frequency to reevaluate information system developer/integrator privileges. |
|
|
|
|
|
|
|
| CCI-000361 |
The organization reviews information system developer/integrator privileges per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-000362 |
The organization reevaluates information system developer/integrator privileges per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed limits privileges to change software resident within software libraries.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1499. |
The organization being inspected/assessed documents and implements a process to limit privileges to accounts authorized to change software resident within software libraries.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1499. |
Access Restrictions For Change | Limit Library Privileges |
CM-5 (6) |
CM-5(6).1 |
|
The organization limits privileges to change software resident within software libraries. |
| CCI-001500 |
The information system automatically implements organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately. |
|
|
|
|
|
|
|
| CCI-001501 |
The organization defines safeguards and countermeasures to be employed by the information system if security functions (or mechanisms) are changed inappropriately. |
|
|
|
|
|
|
|
| CCI-000389 |
The organization develops an inventory of information system components that accurately reflects the current information system. |
The organization conducting the inspection/assessment obtains and examines the documented inventory and examines a sampling of information system components to ensure inventory accurately reflects the current information system. |
The organization being inspected/assessed documents inventory of information system components that accurately reflects the current information system. |
Information System Component Inventory |
CM-8 |
CM-8.1 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-000390 |
The organization documents an inventory of information system components that accurately reflects the current information system. |
|
|
|
|
|
|
|
| CCI-000391 |
The organization maintains an inventory of information system components that accurately reflects the current information system. |
|
|
|
|
|
|
|
| CCI-000392 |
The organization develops an inventory of information system components that includes all components within the authorization boundary of the information system. |
The organization conducting the inspection/assessment obtains and examines the documented inventory and examines a sampling of information system components to ensure inventory includes all components within the authorization boundary of the information system. |
The organization being inspected/assessed documents inventory of information system components that includes all components within the authorization boundary of the information system. |
Information System Component Inventory |
CM-8 |
CM-8.2 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-000393 |
The organization documents an inventory of information system components that includes all components within the authorization boundary of the information system. |
|
|
|
|
|
|
|
| CCI-000394 |
The organization maintains an inventory of information system components that is consistent with the authorization boundary of the information system. |
|
|
|
|
|
|
|
| CCI-000395 |
The organization develops an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. |
The organization conducting the inspection/assessment obtains and examines the documented inventory and examines a sampling of information system components to ensure inventory is at the level of granularity deemed necessary for tracking and reporting. |
The organization being inspected/assessed documents inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. |
Information System Component Inventory |
CM-8 |
CM-8.3 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-000396 |
The organization documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. |
|
|
|
|
|
|
|
| CCI-000397 |
The organization maintains an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. |
|
|
|
|
|
|
|
| CCI-000398 |
The organization defines information deemed necessary to achieve effective information system component accountability. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information as hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, and for a networked component/device, the machine name. |
DoD has defined the information as hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, and for a networked component/device, the machine name. |
Information System Component Inventory |
CM-8 |
CM-8.4 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-000399 |
The organization develops an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability. |
The organization conducting the inspection/assessment obtains and examines the documented inventory and examines a sampling of information system components to ensure inventory includes organization defined information deemed necessary to achieve effective information system component accountability. |
The organization being inspected/assessed documents inventory of information system components that includes organization defined information deemed necessary to achieve effective information system component accountability. |
Information System Component Inventory |
CM-8 |
CM-8.5 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-000400 |
The organization documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability. |
|
|
|
|
|
|
|
| CCI-000401 |
The organization maintains an inventory of information system components that includes organization-defined information deemed necessary to achieve effective property accountability. |
|
|
|
|
|
|
|
| CCI-000402 |
The organization develops an inventory of information system components that is available for review by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000403 |
The organization documents an inventory of information system components that is available for review by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000404 |
The organization maintains an inventory of information system components that is available for review by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000405 |
The organization develops an inventory of information system components that is available for audit by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000406 |
The organization documents an inventory of information system components that is available for audit by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000407 |
The organization maintains an inventory of information system components that is available for audit by designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000408 |
The organization updates the inventory of information system components as an integral part of component installations. |
The organization conducting the inspection/assessment obtains and examines the documented process for updates as well as the audit trail of updates and the log of changes to the information system to ensure the organization being inspected/assessed updates the inventory of information system components as an integral part of component installations. |
The organization being inspected/assessed documents and implements a process to update the inventory of information system components as an integral part of component installations.
The organization must maintain an audit trail of updates. The audit trail may be recorded within the inventory itself. |
Information System Component Inventory | Updates During Installations / Removals |
CM-8 (1) |
CM-8(1).1 |
|
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
| CCI-000409 |
The organization updates the inventory of information system components as an integral part of component removals. |
The organization conducting the inspection/assessment obtains and examines the documented process for updates as well as the audit trail of updates and the log of changes to the information system to ensure the organization being inspected/assessed updates the inventory of information system components as an integral part of component removals. |
The organization being inspected/assessed documents and implements a process to update the inventory of information system components as an integral part of component removals.
The organization must maintain an audit trail of updates. The audit trail may be recorded within the inventory itself. |
Information System Component Inventory | Updates During Installations / Removals |
CM-8 (1) |
CM-8(1).2 |
|
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
| CCI-000410 |
The organization updates the inventory of information system components as an integral part of information system updates. |
The organization conducting the inspection/assessment obtains and examines the documented process for updates as well as the audit trail of updates and the log of changes to the information system to ensure the organization being inspected/assessed updates the inventory of information system components as an integral part of information system updates. |
The organization being inspected/assessed documents and implements a process to update the inventory of information system components as an integral part of information system updates.
The organization must maintain an audit trail of updates. The audit trail may be recorded within the inventory itself. |
Information System Component Inventory | Updates During Installations / Removals |
CM-8 (1) |
CM-8(1).3 |
|
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
| CCI-000411 |
The organization employs automated mechanisms to help maintain an up-to-date inventory of information system components. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the automated mechanism used to help maintain an up-to-date inventory of information system components and examines the mechanism to ensure the organization being inspected/assessed employs automated mechanisms to help maintain an up-to-date inventory of information system components. |
The organization being inspected/assessed documents and implements automated mechanisms to help maintain an up-to-date inventory of information system components.
An automated mechanism implemented IAW CM-2 (2) satisfies the requirements of this CCI if the automated mechanism maintains an up-to-date inventory. |
Information System Component Inventory | Automated Maintenance |
CM-8 (2) |
CM-8(2).1 |
Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7. |
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
| CCI-000412 |
The organization employs automated mechanisms to help maintain a complete inventory of information system components. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the automated mechanism used to help maintain a complete inventory of information system components and examines the mechanism to ensure the organization being inspected/assessed employs automated mechanisms to help maintain a complete inventory of information system components. |
The organization being inspected/assessed documents and implements automated mechanisms to help maintain a complete inventory of information system components.
An automated mechanism implemented IAW CM-2 (2) satisfies the requirements of this CCI if the automated mechanism maintains a complete inventory. |
Information System Component Inventory | Automated Maintenance |
CM-8 (2) |
CM-8(2).2 |
Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7. |
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
| CCI-000413 |
The organization employs automated mechanisms to help maintain an accurate inventory of information system components. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the automated mechanism used to help maintain an accurate inventory of information system components and examines the mechanism to ensure the organization being inspected/assessed employs automated mechanisms to help maintain an accurate inventory of information system components. |
The organization being inspected/assessed documents and implements automated mechanisms to help maintain an accurate inventory of information system components.
An automated mechanism implemented IAW CM-2 (2) satisfies the requirements of this CCI if the automated mechanism maintains an accurate inventory. |
Information System Component Inventory | Automated Maintenance |
CM-8 (2) |
CM-8(2).3 |
Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7. |
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
| CCI-000414 |
The organization employs automated mechanisms to help maintain a readily available inventory of information system components. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the automated mechanism used to help maintain a readily available inventory of information system components and examines the mechanism to ensure the organization being inspected/assessed employs automated mechanisms to help maintain a readily available inventory of information system components. |
The organization being inspected/assessed documents and implements automated mechanisms to help maintain a readily available inventory of information system components.
An automated mechanism implemented IAW CM-2 (2) satisfies the requirements of this CCI if the automated mechanism maintains a readily available inventory. |
Information System Component Inventory | Automated Maintenance |
CM-8 (2) |
CM-8(2).4 |
Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7. |
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
| CCI-000415 |
The organization defines the frequency of employing automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as continuously. |
DoD has defined the frequency as continuously. |
Information System Component Inventory | Automated Unauthorized Component Detection |
CM-8 (3) |
CM-8(3).1 |
This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related controls: AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5. |
The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. |
| CCI-000416 |
The organization employs automated mechanisms, per organization-defined frequency, to detect the presence of unauthorized hardware, software, and firmware components within the information system. |
The organization conducting the inspection/assessment obtains and examines the documentation identifying the automated mechanisms and examines the implemented automated mechanisms to ensure the organization being inspected/assessed employs automated mechanisms, continuously, to detect the presence of unauthorized hardware, software, and firmware components within the information system.
DoD has defined the frequency as continuously. |
The organization being inspected/assessed documents and implements automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system continuously.
DoD has defined the frequency as continuously. |
Information System Component Inventory | Automated Unauthorized Component Detection |
CM-8 (3) |
CM-8(3).2 |
This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related controls: AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5. |
The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. |
| CCI-000417 |
The organization disables network access by unauthorized components/devices or notifies designated organizational officials. |
|
|
|
|
|
|
|
| CCI-000418 |
The organization includes, in the information system component inventory information, a means for identifying by name, position, and/or role, individuals responsible/accountable for administering those components. |
The organization conducting the inspection/assessment obtains and examines the information system component inventory to verify that the organization being inspected/assessed identifies within their inventory, the name and position or role of individuals responsible/accountable for administering those components or a means of identifying those individuals. |
The organization being inspected/assessed documents within their information system component inventory, the name and position or role of individuals responsible/accountable for administering those components or a means of identifying those individuals. |
Information System Component Inventory | Accountability Information |
CM-8 (4) |
CM-8(4).1 |
Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated). |
The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. |
| CCI-000419 |
The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories. |
The organization conducting the inspection/assessment obtains and examines the inventory list of the authorized information system and verifies that all components identified during the inspection are not duplicated in other information system inventories. |
The organization being inspected/assessed verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories. |
Information System Component Inventory | No Duplicate Accounting Of Components |
CM-8 (5) |
CM-8(5).1 |
This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems. |
The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories. |
| CCI-000420 |
The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory. |
The organization conducting the inspection/assessment obtains and examines the organization's configuration management policy and plan; procedures addressing information system component inventory; information system design documentation; information system inventory records; information system component installation records; and any other relevant documents or records. The purpose of the reviews is to validate the organization is including assessed component configurations, and any approved deviations to deployed configurations, in the information system component's inventory. |
The organization being inspected/assessed will institute procedures to ensure assessed component configurations, and any approved deviations to current deployed configurations, are included in the information system component inventory. |
Information System Component Inventory | Assessed Configurations / Approved Deviations |
CM-8 (6) |
CM-8(6).1 |
This control enhancement focuses on configuration settings established by organizations for information system components, the specific components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings. Related controls: CM-2, CM-6. |
The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory. |
| CCI-000421 |
The organization develops a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to verify that it addresses and documents roles, responsibilities, and configuration management processes and procedures |
The organization being inspected/assessed will develop and document a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
Configuration Management Plan |
CM-9 |
CM-9.1 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-000422 |
The organization documents a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
|
|
|
|
|
|
|
| CCI-000423 |
The organization implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan as well as evidence of implementation (e.g., completed change requests, meeting minutes, and other relevant documents) to ensure the organization being inspected/assessed implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
The organization being inspected/assessed will implement a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. |
Configuration Management Plan |
CM-9 |
CM-9.2 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-000424 |
The organization develops a configuration management plan for the information system that defines the configuration items for the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to ensure it defines and documents the configuration items for the information system. |
The organization being inspected/assessed will develop and document a configuration management plan for the information system that defines the configuration items. |
Configuration Management Plan |
CM-9 |
CM-9.7 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-000425 |
The organization documents a configuration management plan for the information system that defines the configuration items for the information system. |
|
|
|
|
|
|
|
| CCI-000426 |
The organization implements a configuration management plan for the information system that defines the configuration items for the information system. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to ensure the organization being inspected/assessed implements a configuration management plan for the information system that defines the configuration items. |
The organization being inspected/assessed will implement a configuration management plan for the information system that defines the configuration items. |
Configuration Management Plan |
CM-9 |
CM-9.8 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-000427 |
The organization develops a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management. |
|
|
|
|
|
|
|
| CCI-000428 |
The organization documents a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management. |
|
|
|
|
|
|
|
| CCI-000429 |
The organization implements a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management. |
|
|
|
|
|
|
|
| CCI-000430 |
The organization develops a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle. |
|
|
|
|
|
|
|
| CCI-000431 |
The organization documents a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle. |
|
|
|
|
|
|
|
| CCI-000432 |
The organization implements a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle. |
|
|
|
|
|
|
|
| CCI-000433 |
The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
|
|
|
|
|
|
|
| CCI-000434 |
The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
|
|
|
|
|
|
|
| CCI-000435 |
The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
|
|
|
|
|
|
|
| CCI-000436 |
The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. |
The organization conducting the inspection/assessment obtains and examines documentation of stakeholder role assignments to verify that the personnel assigned CM roles are not assigned roles for information system development. |
The organization being inspected/assessed will assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. |
Configuration Management Plan | Assignment Of Responsibility |
CM-9 (1) |
CM-9(1).1 |
In the absence of dedicated configuration management teams assigned within organizations, system developers may be tasked to develop configuration management processes using personnel who are not directly involved in system development or integration. This separation of duties ensures that organizations establish and maintain a sufficient degree of independence between the information system development and integration processes and configuration management processes to facilitate quality control and more effective oversight. |
The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. |
| CCI-000485 |
The organization defines the frequency of refresher contingency training to information system users. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually |
DoD has defined the frequency as at least annually. |
Contingency Training |
CP-3 |
CP-3.4 |
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000486 |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming a contingency role or responsibility. |
The organization conducting the inspection/assessment obtains and examines the list of contingency personnel and documentation of initial contingency training for the purpose of ensuring that all personnel with contingency roles and responsibilities have received initial contingency training at a maximum, 10 working days of assuming a contingency role or responsibility.
DoD has defined the time period as at a maximum, 10 working days. |
The organization being inspected/assessed provides initial contingency training to personnel with contingency roles and responsibilities IAW CP-2, CCI 449 at a maximum, 10 working days of assuming a contingency role or responsibility.
The organization will maintain documentation of the training activity dates, location, and personnel for audit trail purposes and future reference (e.g., scheduling refresher training, etc.).
DoD has defined the time period as at a maximum, 10 working days. |
Contingency Training |
CP-3 |
CP-3.1 |
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000487 |
The organization provides refresher contingency training to information system users consistent with assigned roles and responsibilities in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the list of contingency personnel and documentation of refresher contingency training for the purpose of ensuring that all personnel with contingency roles and responsibilities have received refresher contingency training at least annually.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed provides refresher contingency training to personnel with contingency roles and responsibilities IAW CP-2, CCI 449 at least annually.
The organization will maintain documentation of the training activity dates, location, and personnel for audit trail purposes and future reference (e.g., scheduling refresher training, etc.).
DoD has defined the frequency as at least annually. |
Contingency Training |
CP-3 |
CP-3.5 |
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-000488 |
The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. |
The organization conducting the inspection/assessment obtains and examines contingency training materials to ensure that simulated events have been included. |
The organization being inspected/assessed will include simulated events into contingency training to facilitate effective response by personnel in crisis situations. |
Contingency Training | Simulated Events |
CP-3 (1) |
CP-3(1).1 |
|
The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. |
| CCI-000489 |
The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment. |
The organization conducting the inspection/assessment obtains and examines the automated mechanism such as scenario-based interactive online training/CBT to verify that it provides a realistic contingency training environment. |
The organization being inspected/assessed employs an automated mechanism such as scenario-based interactive online training/CBT providing a realistic contingency training environment. |
Contingency Training | Automated Training Environments |
CP-3 (2) |
CP-3(2).1 |
|
The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment. |
| CCI-000490 |
The organization defines the frequency with which to test the contingency plan for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
Contingency Plan Testing |
CP-4 |
CP-4.1 |
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed. |
| CCI-000491 |
The organization defines the frequency to exercise the contingency plan for the information system. |
|
|
|
|
|
|
|
| CCI-000492 |
The organization defines contingency plan tests to be conducted for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented contingency plan tests to ensure the organization being inspected/assessed defines contingency plan tests to be conducted for the information system.
DoD has determined the contingency plan tests are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents contingency plan tests to be conducted for the information system.
DoD has determined the contingency plan tests are not appropriate to define at the Enterprise level. |
Contingency Plan Testing |
CP-4 |
CP-4.2 |
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed. |
| CCI-000493 |
The organization defines contingency plan exercises to be conducted for the information system. |
|
|
|
|
|
|
|
| CCI-000494 |
The organization tests the contingency plan for the information system in accordance with organization-defined frequency using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan. |
The organization conducting the inspection/assessment obtains and examines the record of test results to ensure the organization being inspected/assessed conduct tests defined in CP-4, 492 at least annually to determine the effectiveness of the plan and the organizational readiness to execute the plan.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed conduct tests defined in CP-4, 492 at least annually to determine the effectiveness of the plan and the organizational readiness to execute the plan.
The organization must maintain a record of test results.
DoD has defined the frequency as at least annually. |
Contingency Plan Testing |
CP-4 |
CP-4.3 |
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed. |
| CCI-000495 |
The organization exercises the contingency plan using organization-defined exercises in accordance with organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-000496 |
The organization reviews the contingency plan test results. |
The organization conducting the inspection/assessment obtains and examines the audit trail of issues identified during the reviews of the contingency plan test results to ensure the organization being inspected/assessed reviews the contingency plan test results. |
The organization being inspected/assessed will review the contingency plan test results.
The organization must maintain an audit trail of issues identified during the reviews of the contingency plan test results. |
Contingency Plan Testing |
CP-4 |
CP-4.4 |
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed. |
| CCI-000497 |
The organization initiates corrective actions, if needed, after reviewing the contingency plan test results. |
The organization conducting the inspection/assessment obtains and examines the contingency plan test results as well as any documented corrective actions required and ensures the corrective actions are being implemented and tracked within the POA&M. |
The organization being inspected/assessed identifies and documents any corrective actions required after reviewing the contingency plan test results. The organization initiates corrective actions and tracks those actions within the POA&M. |
Contingency Plan Testing |
CP-4 |
CP-4.5 |
Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions. Related controls: CP-2, CP-3, IR-3. |
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed. |
| CCI-000498 |
The organization coordinates contingency plan testing with organizational elements responsible for related plans. |
The organization conducting the inspection/assessment obtains and examines documentation of agreements with entities responsible for the contingency or related plans to ensure there is evidence of coordination of those tests. |
The organization being inspected/assessed coordinates the testing of its contingency plan with other organizational elements responsible for related plans.
The organization documents any applicable agreements with responsible internal or external entities. For external entities the agreements could entail MOUs, MOAs, SLAs or contracts. |
Contingency Plan Testing | Coordinate With Related Plans |
CP-4 (1) |
CP-4(1).1 |
Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements. Related controls: IR-8, PM-8. |
The organization coordinates contingency plan testing with organizational elements responsible for related plans. |
| CCI-000499 |
The organization coordinates contingency plan exercises with organizational elements responsible for related plans. |
|
|
|
|
|
|
|
| CCI-000500 |
The organization tests the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources. |
The organization conducting the inspection/assessment obtains and examines the record of personnel who participated in the contingency plan testing at the alternate site to ensure the organization being inspected/assessed tests the contingency plan at the alternate processing site to familiarize personnel expected to implement the contingency plan at the alternate site with the facility and available resources. |
The organization being inspected/assessed will include personnel expected to implement the contingency plan at the alternate site in the testing at the alternate site to familiarize
contingency personnel with the facility and available resources.
The organization must maintain a record of personnel who participated in the contingency plan testing at the alternate site. |
Contingency Plan Testing | Alternate Processing Site |
CP-4 (2) |
CP-4(2).1 |
Related control: CP-7. |
The organization tests the contingency plan at the alternate processing site:
(a) To familiarize contingency personnel with the facility and available resources; and
(b) To evaluate the capabilities of the alternate processing site to support contingency operations. |
| CCI-000501 |
The organization exercises the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site^s capabilities to support contingency operations. |
|
|
|
|
|
|
|
| CCI-000502 |
The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan. |
The organization conducting the inspection/assessment obtains and examines the identified automated mechanisms in use to thoroughly test the contingency plan. |
The organization being inspected/assessed will identify and employ automated mechanisms to thoroughly test the contingency plan, for example by providing more complete coverage of contingency issues, selecting more realistic test scenarios and environments, and more effectively stressing the information system and supported missions. |
Contingency Plan Testing | Automated Testing |
CP-4 (3) |
CP-4(3).1 |
Automated mechanisms provide more thorough and effective testing of contingency plans, for example: (i) by providing more complete coverage of contingency issues; (ii) by selecting more realistic test scenarios and environments; and (iii) by effectively stressing the information system and supported missions. |
The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan. |
| CCI-000503 |
The organization employs automated mechanisms to more thoroughly and effectively exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic exercise scenarios and environments, and more effectively stressing the information and supported missions. |
|
|
|
|
|
|
|
| CCI-000504 |
The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing. |
The organization conducting the inspection/assessment obtains and examines the full recovery and reconstitution procedures and contingency plan testing results to ensure all tests were performed IAW CP-2, CCIs 446 and 447. |
The organization being inspected/assessed demonstrates full recovery and reconstitution of its information system to a known state as part of its contingency plan testing.
The organization documents full recovery and reconstitution as part of its contingency plan testing results. |
Contingency Plan Testing | Full Recovery / Reconstitution |
CP-4 (4) |
CP-4(4).1 |
Related controls: CP-10, SC-24. |
The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing. |
| CCI-000968 |
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. |
The organization conducting the inspection/assessment conducts visual inspections and interviews physical security/safety personnel to validate the organization has installed and implemented an automatic fire suppression capability which is operational during those times the facility is not staffed. |
The organization being inspected/assessed must implement and maintain an automatic fire suppression capability that is fully operational when the facility is not staffed on a continuous basis. |
Fire Protection | Automatic Fire Suppression |
PE-13 (3) |
PE-13(3).1 |
|
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. |
| CCI-000969 |
The organization ensures that the facility undergoes, on an organization-defined frequency, fire marshal inspections and promptly resolves identified deficiencies. |
|
|
|
|
|
|
|
| CCI-000970 |
The organization defines a frequency for fire marshal inspections. |
|
|
|
|
|
|
|
| CCI-000965 |
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. |
The organization conducting the inspection/assessment will conduct visual observation and interview organizational personnel with responsibilities for fire detection and suppression devices/systems. The purpose of the reviews and interviews is to validate the fire suppression and detection devices/systems for the information system are supported by an independent energy source. |
The organization being inspected/assessed must implement and maintain fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
An independent energy source is some source other than the primary energy source for that facility.
Examples include sprinkler systems, hand held fire extinguishers, fixed fire hoses, and smoke detectors. |
Fire Protection |
PE-13 |
PE-13.1 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. |
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. |
| CCI-000966 |
The organization employs fire detection devices/systems for the information system that activate automatically and notify the organization and emergency responders in the event of a fire. |
|
|
|
|
|
|
|
| CCI-000967 |
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders. |
|
|
|
|
|
|
|
| CCI-000971 |
The organization maintains temperature and humidity levels within the facility where the information system resides at organization-defined acceptable levels. |
The organization conducting the inspection/assessment reviews temperature and humidity controls to validate that they are set within DoD specified guidelines.
DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications. |
Humidity controls are not required for general office areas where information system components may be in use and are only required where there are concentrations of information systems such as server farms, mainframes, etc.
The organization being inspected/assessed must maintain temperature and where applicable humidity levels of for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications.
DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications. |
Temperature And Humidity Controls |
PE-14 |
PE-14.1 |
This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization - defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. |
| CCI-000972 |
The organization defines acceptable temperature and humidity levels to be maintained within the facility where the information system resides. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications. |
DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications. |
Temperature And Humidity Controls |
PE-14 |
PE-14.2 |
This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization - defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. |
| CCI-000973 |
The organization monitors temperature and humidity levels in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment will visually observe the inspected organization's independent monitoring device, obtain and examine audit logs, and interview physical security/safety personnel to validate the inspected organization monitors temperature and humidity levels continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required.
DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required. |
The organization being inspected/assessed will maintain an independent monitor device for temperature and humidity levels not located in the immediate vicinity of the controller continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required.
Records of monitoring must be maintained as an audit trail within the authorization lifecycle.
DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required. |
Temperature And Humidity Controls |
PE-14 |
PE-14.3 |
This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization - defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. |
| CCI-000974 |
The organization defines a frequency for monitoring temperature and humidity levels. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required. |
DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required. |
Temperature And Humidity Controls |
PE-14 |
PE-14.4 |
This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. |
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization - defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. |
| CCI-000975 |
The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system. |
The organization conducting the inspection/assessment conducts visual inspections and interviews personnel responsible for maintaining automatic temperature and humidity controls to validate the organization is employing automatic temperature and humidity controls for the information system to prevent fluctuations potentially harmful to the information system. |
Humidity controls are not required for general office areas where information system components may be in use and are only required where there are concentrations of information systems such as server farms, mainframes, etc.
The organization being inspected/assessed must implement and maintain automatic temperature and humidity controls in the facility designed to prevent temperature and humidity fluctuations that would be potentially harmful to the information system. |
Temperature And Humidity Controls | Automatic Controls |
PE-14 (1) |
PE-14(1).1 |
|
The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system. |
| CCI-000976 |
The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. |
The organization conducting the inspection/assessment conducts visual inspections and interviews personnel responsible for maintaining automatic temperature and humidity controls to validate the inspected organization is employing automatic temperature and humidity controls that provide an alarm or notification of changes potentially harmful to personnel or equipment. |
Humidity controls are not required for general office areas where information system components may be in use and are only required where there are concentrations of information systems such as server farms, mainframes, etc.
The organization being inspected/assessed must implement and maintain automatic temperature and humidity controls in the facility and provides an alarm or notification of changes to either of these environmental conditions that are potentially harmful to personnel or equipment. |
Temperature And Humidity Controls | Monitoring With Alarms / Notifications |
PE-14 (2) |
PE-14(2).1 |
|
The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. |
| CCI-000977 |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible. |
The organization conducting the inspection/assessment will inspect the master shutoff valves to ensure they are installed and accessible. |
The organization being inspected/assessed must provide master shutoff valves that are accessible to protect the information system from damage resulting from water leakage. |
Water Damage Protection |
PE-15 |
PE-15.1 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3. |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and
known to key personnel. |
| CCI-000978 |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are working properly. |
The organization conducting the inspection/assessment will visually inspect master shutoff valve inspection documentation (e.g., inspection form, tag attached to valve). |
The organization being inspected/assessed will ensure that master shutoff valves are working properly and have been inspected by the appropriate organization (e.g., fire marshal, department of public works). |
Water Damage Protection |
PE-15 |
PE-15.2 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3. |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and
known to key personnel. |
| CCI-000979 |
Key personnel have knowledge of the master water shutoff or isolation valves. |
The organization conducting the inspection/assessment obtains and examines list of key personnel with knowledge of location and activation procedures for master shutoff valves and any other relevant documents or records. Interview key personnel from the list to determine if identified key personnel within the organization have knowledge of the master shutoff valves. |
The organization being inspected/assessed will identify and document key personnel and will provide training on the location and procedures for use of master shutoff valves. |
Water Damage Protection |
PE-15 |
PE-15.3 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3. |
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and
known to key personnel. |
| CCI-000980 |
The organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a water leak. |
|
|
|
|
|
|
|
| CCI-001182 |
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant. |
The organization conducting the inspection/assessment reviews the sites implementation documentation of the name resolution servers and verifies primary and alternate services are available.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1182. |
The organization being inspected/assessed implements a name service resolution architecture consisting of primary and secondary servers.
The organization must document the architecture in the site security plan.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1182. |
Architecture And Provisioning For Name / Address Resolution Service |
SC-22 |
SC-22.1 |
Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists). Related controls: SC-2, SC-20, SC-21, SC-24. |
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation. |
| CCI-001183 |
The information systems that collectively provide name/address resolution service for an organization implement internal/external role separation. |
The organization conducting the inspection/assessment reviews the sites implementation documentation of the name resolution servers and verifies authoritative and recursive services are not hosted on the same information system.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1183. |
The organization being inspected/assessed implements a name service resolution architecture where recursive and authoritative server software is not installed on the same information system.
The organization must document the architecture in the site security plan.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1183. |
Architecture And Provisioning For Name / Address Resolution Service |
SC-22 |
SC-22.2 |
Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists). Related controls: SC-2, SC-20, SC-21, SC-24. |
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation. |
| CCI-001173 |
The organization establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously. |
The organization conducting the inspection/assessment obtains and examines the documented usage restrictions to ensure the organization being inspected/assessed establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously. |
The organization being inspected/assessed establishes and documents usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously. |
Voice Over Internet Protocol |
SC-19 |
SC-19.1 |
Related controls: CM-6, SC-7, SC-15. |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| CCI-001174 |
The organization establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously. |
The V-VoIP STIG meets the DoD requirement for establishing implementation guidance for Voice over Internet Protocol (VoIP) technologies.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, V-VoIP STIG. |
The Voice and Video over Internet Protocol (V-VoIP) STIG meets the DoD requirement for establishing implementation guidance for Voice over Internet Protocol (VoIP) technologies.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, V-VoIP STIG. |
Voice Over Internet Protocol |
SC-19 |
SC-19.2 |
Related controls: CM-6, SC-7, SC-15. |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| CCI-001175 |
The organization authorizes the use of VoIP within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented authorizations and *insert language* to ensure the organization being inspected/assessed authorizes any appropriate usage of VoIP within the information system and documents those authorizations. |
The organization being inspected/assessed authorizes any appropriate usage of VoIP within the information system and documents those authorizations. |
Voice Over Internet Protocol |
SC-19 |
SC-19.3 |
Related controls: CM-6, SC-7, SC-15. |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| CCI-001176 |
The organization monitors the use of VoIP within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trial of monitoring to ensure the organization being inspected/assessed monitors the use of VoIP within the information system. |
The organization being inspected/assessed documents and implements a process to monitor the use of VoIP within the information system.
The organization must maintain an audit trail of monitoring. |
Voice Over Internet Protocol |
SC-19 |
SC-19.4 |
Related controls: CM-6, SC-7, SC-15. |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| CCI-001177 |
The organization controls the use of VoIP within the information system. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams, architecture documentation, or any other documentation identifying the use of VoIP to ensure the organization being inspected/assessed controls the use of VoIP within the information system. |
The organization being inspected/assessed designs the information system to control the use of VoIP within the information system |
Voice Over Internet Protocol |
SC-19 |
SC-19.5 |
Related controls: CM-6, SC-7, SC-15. |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| CCI-000550 |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it identifies the recovery and reconstitution method for its information system to a known state after a disruption. |
The organization being inspected/assessed provides automated mechanisms or manual procedures, or a combination of the two, for the recovery and reconstitution of its information system to a known state after a disruption.
The organization must identify the selected method in the contingency plan. |
Information System Recovery And Reconstitution |
CP-10 |
CP-10.1 |
Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24. |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
| CCI-000551 |
The organization provides for the recovery and reconstitution of the information system to a known state after a compromise. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it identifies the recovery and reconstitution method for its information system to a known state after a compromise. |
The organization being inspected/assessed provides automated mechanisms or manual procedures, or a combination of the two, for the recovery and reconstitution of its information system to a known state after a compromise.
The organization must identify the selected method in the contingency plan. |
Information System Recovery And Reconstitution |
CP-10 |
CP-10.2 |
Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24. |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
| CCI-000552 |
The organization provides for the recovery and reconstitution of the information system to a known state after a failure. |
The organization conducting the inspection/assessment obtains and examines the contingency plan to ensure it identifies the recovery and reconstitution method for its information system to a known state after a failure. |
The organization being inspected/assessed provides automated mechanisms or manual procedures, or a combination of the two, for the recovery and reconstitution of its information system to a known state after a failure.
The organization must identify the selected method in the contingency plan. |
Information System Recovery And Reconstitution |
CP-10 |
CP-10.3 |
Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24. |
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
| CCI-000553 |
The information system implements transaction recovery for systems that are transaction-based. |
The organization conducting the inspection/assessment obtains and examines the contingency plan test results to verify transaction recovery. |
The organization being inspected/assessed identifies, documents, and implements transaction recovery capability for systems that are transaction-based.
The organization must document transaction recovery results as part of contingency plan testing. |
Information System Recovery And Reconstitution | Transaction Recovery |
CP-10 (2) |
CP-10(2).1 |
Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling. |
The information system implements transaction recovery for systems that are transaction-based. |
| CCI-000554 |
The organization defines in the security plan, explicitly or by reference, the circumstances that can inhibit recovery and reconstitution of the information system to a known state. |
|
|
|
|
|
|
|
| CCI-000555 |
The organization provides compensating security controls for organization-defined circumstances that can inhibit recovery and reconstitution of the information system to a known state. |
|
|
|
|
|
|
|
| CCI-000556 |
The organization defines restoration time periods within which to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as
1 hour (Availability High )
24 hours (Availability Moderate)
1 - 5 days (Availability Low)
as defined in the contingency plan. |
DoD has defined the time period as
1 hour (Availability High )
24 hours (Availability Moderate)
1 - 5 days (Availability Low)
as defined in the contingency plan. |
Information System Recovery And Reconstitution | Restore Within Time Period |
CP-10 (4) |
CP-10(4).1 |
Restoration of information system components includes, for example, reimaging which restores components to known, operational states. Related control: CM-2. |
The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
| CCI-000557 |
The organization provides the capability to restore information system components within organization-defined restoration time periods from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
The organization conducting the inspection/assessment obtains and examines contingency plan test results to verify the organization exercises the capability to restore information system components from configuration-controlled and integrity-protected information representing a secure, operational state for the components, and that restoration occurred within the defined time period:
1 hour (Availability High )
24 hours (Availability Moderate)
1 - 5 days (Availability Low)
as defined in the contingency plan. |
The organization being inspected/assessed exercises the capability to restore information system components from configuration-controlled and integrity-protected information representing a secure, operational state for the components within the defined time period during contingency plan testing:
1 hour (Availability High )
24 hours (Availability Moderate)
1 - 5 days (Availability Low)
as defined in the contingency plan. |
Information System Recovery And Reconstitution | Restore Within Time Period |
CP-10 (4) |
CP-10(4).2 |
Restoration of information system components includes, for example, reimaging which restores components to known, operational states. Related control: CM-2. |
The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
| CCI-000558 |
The organization defines the real-time or near-real-time failover capability to be provided for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented failover capability to ensure the organization being inspected/assessed defines the real-time or near-real-time failover capability to be provided for the information system.
DoD has determined the failover capability is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the real-time or near-real-time failover capability to be provided for the information system.
DoD has determined the failover capability is not appropriate to define at the Enterprise level. |
Predictable Failure Prevention | Failover Capability |
SI-13 (5) |
SI-13(5).1 |
Failover refers to the automatic switchover to an alternate information system upon the failure of the primary information system. Failover capability includes, for example, incorporating mirrored information system operations at alternate processing sites or periodic data mirroring at regular intervals defined by recovery time periods of organizations. |
The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system. |
| CCI-000559 |
The organization provides real-time or near-real-time organization-defined failover capability for the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed provides real-time or near-real-time failover capability defined in SI-13 (5), CCI 558 for the information system. |
The organization being inspected/assessed designs the information system to provide real-time or near-real-time failover capability defined in SI-13 (5), CCI 558 for the information system. |
Predictable Failure Prevention | Failover Capability |
SI-13 (5) |
SI-13(5).2 |
Failover refers to the automatic switchover to an alternate information system upon the failure of the primary information system. Failover capability includes, for example, incorporating mirrored information system operations at alternate processing sites or periodic data mirroring at regular intervals defined by recovery time periods of organizations. |
The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system. |
| CCI-000560 |
The organization protects backup and restoration hardware. |
The organization conducting the inspection/assessment obtains and examines documentation of protection measures to ensure the organization is actively protecting backup and restoration hardware. |
The organization being inspected/assessed implements and documents policies and back up procedures designed to protect its backup and restoration hardware. |
Information System Recovery And Reconstitution | Component Protection |
CP-10 (6) |
CP-10(6).1 |
Protection of backup and restoration hardware, firmware, and software components includes both physical and technical safeguards. Backup and restoration software includes, for example, router tables, compilers, and other security-relevant system software. Related controls: AC-3, AC-6, PE-3. |
The organization protects backup and restoration hardware, firmware, and software. |
| CCI-000561 |
The organization protects backup and restoration firmware. |
The organization conducting the inspection/assessment obtains and examines documentation of protection measures to ensure the organization is actively protecting backup and restoration firmware. |
The organization being inspected/assessed implements and documents policies and back up procedures designed to protect its backup and restoration firmware. |
Information System Recovery And Reconstitution | Component Protection |
CP-10 (6) |
CP-10(6).2 |
Protection of backup and restoration hardware, firmware, and software components includes both physical and technical safeguards. Backup and restoration software includes, for example, router tables, compilers, and other security-relevant system software. Related controls: AC-3, AC-6, PE-3. |
The organization protects backup and restoration hardware, firmware, and software. |
| CCI-000562 |
The organization protects backup and restoration software. |
The organization conducting the inspection/assessment obtains and examines documentation of protection measures to ensure the organization is actively protecting backup and restoration software. |
The organization being inspected/assessed implements and documents policies and back up procedures designed to protect its backup and restoration software. |
Information System Recovery And Reconstitution | Component Protection |
CP-10 (6) |
CP-10(6).3 |
Protection of backup and restoration hardware, firmware, and software components includes both physical and technical safeguards. Backup and restoration software includes, for example, router tables, compilers, and other security-relevant system software. Related controls: AC-3, AC-6, PE-3. |
The organization protects backup and restoration hardware, firmware, and software. |
| CCI-000570 |
The organization develops a security plan for the information system that is consistent with the organization^s enterprise architecture; explicitly defines the authorization boundary for the system; describes the operational context of the information system in terms of mission and business processes; provides the security category and impact level of the information system, including supporting rationale; describes the operational environment for the information system; describes relationships with, or connections to, other information systems; provides an overview of the security requirements for the system; and describes the security controls in place or planned for meeting those requirements, including a rationale for the tailoring and supplemental decisions. |
|
|
|
|
|
|
|
| CCI-000571 |
The organization^s security plan for the information system is reviewed and approved by the authorizing official or designated representative prior to plan implementation. |
The organization conducting the inspection/assessment obtains and examines the security plan approval to ensure the organization being inspected/assessed obtains security plan approval by the authorizing official or designated representative prior to plan implementation. |
The organization being inspected/assessed obtains security plan approval by the authorizing official or designated representative prior to plan implementation. |
System Security Plan |
PL-2 |
PL-2.10 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-000572 |
The organization defines the frequency for reviewing the security plan for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
System Security Plan |
PL-2 |
PL-2.15 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-000573 |
The organization reviews the security plan for the information system in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit records of security plan reviews to verify the security plan has been reviewed annually.
DoD has defined the frequency as annually. |
The information system owner as part of the annual security control review will also review the security plan annually.
Documentation of security plan reviews is required as an audit trail.
DoD has defined the frequency as annually. |
System Security Plan |
PL-2 |
PL-2.16 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-000574 |
The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. |
The organization conducting the inspection/assessment obtains and examines the audit records of security plan updates to verify the security plan is current.
The purpose of the reviews is to validate the organization is updating the Information System (IS) security plan to address changes to the IS, its environment of operation, or problems identified during plan implementation or security control assessments. |
The information system owner will update the security plan as necessary to address changes to information system/environment of operation or problems identified during plan implementation or security control assessments.
Documentation of security plan updates are required as an audit trail. |
System Security Plan |
PL-2 |
PL-2.17 |
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification. |
| CCI-000576 |
The organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum: the purpose of the system; a description of the system architecture; the security authorization schedule; and the security categorization and associated factors considered in determining the categorization. |
|
|
|
|
|
|
|
| CCI-000577 |
The organization defines the frequency with which to review and update the security CONOPS. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Security Concept Of Operations |
PL-7 |
PL-7.2 |
The security CONOPS may be included in the security plan for the information system or in other system development life cycle-related documents, as appropriate. Changes to the CONOPS are reflected in ongoing updates to the security plan, the information security architecture, and other appropriate organizational documents (e.g., security specifications for procurements/acquisitions, system development life cycle documents, and systems/security engineering documents). Related control: PL-2. |
The organization:
a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
b. Reviews and updates the CONOPS [Assignment: organization - defined frequency]. |
| CCI-000578 |
The organization reviews and updates the security CONOPS in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the security CONOPS annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews and updates the security CONOPS annually.
The organization must maintain an audit trail of reviews and updates.
DoD has defined the frequency as annually. |
Security Concept Of Operations |
PL-7 |
PL-7.3 |
The security CONOPS may be included in the security plan for the information system or in other system development life cycle-related documents, as appropriate. Changes to the CONOPS are reflected in ongoing updates to the security plan, the information security architecture, and other appropriate organizational documents (e.g., security specifications for procurements/acquisitions, system development life cycle documents, and systems/security engineering documents). Related control: PL-2. |
The organization:
a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
b. Reviews and updates the CONOPS [Assignment: organization - defined frequency]. |
| CCI-000580 |
The organization develops a functional architecture for the information system that identifies and maintains external interfaces. |
|
|
|
|
|
|
|
| CCI-000581 |
The organization develops a functional architecture for the information system that identifies and maintains the information being exchanged across the interfaces. |
|
|
|
|
|
|
|
| CCI-000582 |
The organization develops a functional architecture for the information system that identifies and maintains the protection mechanisms associated with each interface. |
|
|
|
|
|
|
|
| CCI-000583 |
The organization develops a functional architecture for the information system that identifies and maintains user roles. |
|
|
|
|
|
|
|
| CCI-000584 |
The organization develops a functional architecture for the information system that identifies and maintains the access privileges assigned to each role. |
|
|
|
|
|
|
|
| CCI-000585 |
The organization develops a functional architecture for the information system that identifies and maintains unique security requirements. |
|
|
|
|
|
|
|
| CCI-000586 |
The organization develops a functional architecture for the information system that identifies and maintains types of information processed by the information system. |
|
|
|
|
|
|
|
| CCI-000587 |
The organization develops a functional architecture for the information system that identifies and maintains types of information stored by the information system. |
|
|
|
|
|
|
|
| CCI-000588 |
The organization develops a functional architecture for the information system that identifies and maintains types of information transmitted by the information system. |
|
|
|
|
|
|
|
| CCI-000589 |
The organization develops a functional architecture for the information system that identifies and maintains any specific protection needs in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
|
|
|
|
|
|
|
| CCI-000590 |
The organization develops a functional architecture for the information system that identifies and maintains restoration priority of information. |
|
|
|
|
|
|
|
| CCI-000591 |
The organization develops a functional architecture for the information system that identifies and maintains restoration priority of information system services. |
|
|
|
|
|
|
|
| CCI-000597 |
The organization conducts a privacy impact assessment on the information system in accordance with OMB policy. |
|
|
|
|
|
|
|
| CCI-000598 |
The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation). |
|
|
|
|
|
|
|
| CCI-000599 |
The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational assets. |
|
|
|
|
|
|
|
| CCI-000600 |
The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational individuals. |
|
|
|
|
|
|
|
| CCI-001646 |
The organization defines the frequency with which to review and update the current system and services acquisition procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000601 |
The organization defines the frequency with which to review and update the current system and services acquisition policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 5 years. |
DoD has defined the frequency as every 5 years. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000602 |
The organization develops and documents a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000603 |
The organization disseminates to organization-defined personnel or roles a system and services acquisition policy. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000604 |
The organization reviews and updates the current system and services acquisition policy in accordance with organization-defined frequency. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000605 |
The organization develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000606 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000607 |
The organization reviews and updates the current system and services acquisition procedures in accordance with organization-defined frequency. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1 meet the DoD requirements for system and services acquisition policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDD 5000.01, DoDI 5000.02, and DoDI 8580.1. |
System And Services Acquisition Policy And Procedures |
SA-1 |
SA-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency]. |
| CCI-000615 |
The organization manages the information system using an organization-defined system development life cycle that incorporates information security considerations. |
The organization conducting the inspection/assessment obtains and examines the documented process and artifacts of the system development life cycle process to ensure the organization being inspected/assessed manages the information system using the system development life cycle defined in SA-3, CCI 3092 that incorporates information security considerations IAW DoDI 8580.1. |
The organization being inspected/assessed documents and implements a process to manage the information system using the system development life cycle defined in SA-3, CCI 3092 that incorporates information security considerations IAW DoDI 8580.1. |
System Development Life Cycle |
SA-3 |
SA-3.1 |
A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities. |
| CCI-000616 |
The organization defines and documents information system security roles and responsibilities throughout the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the information system security roles and responsibilities to ensure the organization being inspected/assessed defines and documents information system security roles and responsibilities throughout the system development life cycle IAW DoDI 8580.1. |
The organization being inspected/assessed defines and documents information system security roles and responsibilities throughout the system development life cycle IAW DoDI 8580.1. |
System Development Life Cycle |
SA-3 |
SA-3.3 |
A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities. |
| CCI-000617 |
The organization documents information system security roles and responsibilities throughout the system development life cycle. |
|
|
|
|
|
|
|
| CCI-000618 |
The organization identifies individuals having information system security roles and responsibilities. |
The organization conducting the inspection/assessment obtains and examines the documented individuals having information system security roles and responsibilities to ensure the organization being inspected/assessed identifies individuals having information system security roles and responsibilities. |
The organization being inspected/assessed identifies and documents individuals having information system security roles and responsibilities. |
System Development Life Cycle |
SA-3 |
SA-3.4 |
A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. |
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities. |
| CCI-000655 |
The organization uses software and associated documentation in accordance with contract agreements and copyright laws. |
|
|
|
|
|
|
|
| CCI-000656 |
The organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution. |
|
|
|
|
|
|
|
| CCI-000657 |
The organization controls the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
|
|
|
|
|
|
|
| CCI-000658 |
The organization documents the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
|
|
|
|
|
|
|
| CCI-000659 |
The organization prohibits the use of binary executable code from sources with limited or no warranty without accompanying source code. |
|
|
|
|
|
|
|
| CCI-000660 |
The organization prohibits the use of machine executable code from sources with limited or no warranty without accompanying source code. |
|
|
|
|
|
|
|
| CCI-000661 |
The organization provides exceptions to the source code requirement only when no alternative solutions are available to support compelling mission/operational requirements. |
|
|
|
|
|
|
|
| CCI-000662 |
The organization obtains express written consent of the authorizing official for exceptions to the source code requirement. |
|
|
|
|
|
|
|
| CCI-000664 |
The organization applies information system security engineering principles in the specification of the information system. |
The organization conducting the inspection/assessment obtains and examines the system requirements documents to ensure that the organization being inspected/assessed applies information system security engineering principles in the specification of the information system. |
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/.
This CCI does not apply to COTS products.
The organization managing the acquisition/development of the information system must ensure that the system requirements documents reflect the system security engineering principles that can be applied to information systems in development, systems undergoing major upgrades and to the extent feasible systems in sustainment. Security engineering principles include:
1. Developing layered protections;
2. Establishing sound security policy, architecture, and controls as the foundation for design;
3. Incorporating security requirements into all phases of the system development life cycle;
4. Delineating physical and logical security boundaries;
5. Ensuring that system developers are trained on how to design and build secure software;
6. Tailoring security controls and protections to meet system-specific requirements and operational needs;
7. Performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk. |
Security Engineering Principles |
SA-8 |
SA-8.1 |
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| CCI-000665 |
The organization applies information system security engineering principles in the design of the information system. |
The organization conducting the inspection/assessment obtains and examines the design documents to ensure that the organization being inspected/assessed applies information system security engineering principles in the design of the information system. |
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/.
This CCI does not apply to COTS products.
The organization managing the acquisition/development of the information system must ensure that the design documents reflect the system security engineering principles that can be applied to information systems in development, systems undergoing major upgrades and to the extent feasible systems in sustainment. Security engineering principles include:
1. Developing layered protections;
2. Establishing sound security policy, architecture, and controls as the foundation for design;
3. Incorporating security requirements into all phases of the system development life cycle;
4. Delineating physical and logical security boundaries;
5. Ensuring that system developers are trained on how to design and build secure software;
6. Tailoring security controls and protections to meet system-specific requirements and operational needs;
7. Performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk. |
Security Engineering Principles |
SA-8 |
SA-8.2 |
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| CCI-000666 |
The organization applies information system security engineering principles in the development of the information system. |
The organization conducting the inspection/assessment obtains and examines the system development procedures (e.g. configuration management plans, code review procedures, and coding style guides) to ensure that the organization being inspected/assessed applies information system security engineering principles in the development of the information system. |
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/.
This CCI does not apply to COTS products.
The organization managing the acquisition/development of the information system must ensure that the development procedures reflect the system security engineering principles that can be applied to information systems in development, systems undergoing major upgrades and to the extent feasible systems in sustainment. Security engineering principles include:
1. Developing layered protections;
2. Establishing sound security policy, architecture, and controls as the foundation for design;
3. Incorporating security requirements into all phases of the system development life cycle;
4. Delineating physical and logical security boundaries;
5. Ensuring that system developers are trained on how to design and build secure software;
6. Tailoring security controls and protections to meet system-specific requirements and operational needs;
7. Performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk.
Examples of development procedures that should reflect SSE principles are configuration management plans, code review procedures, and coding style guides. Configuration management plans should be IAW CM-9, CCI 001790. |
Security Engineering Principles |
SA-8 |
SA-8.3 |
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| CCI-000667 |
The organization applies information system security engineering principles in the implementation of the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail artifacts that were created during the implementation of SA-8, CCI 000666
to ensure that the organization being inspected/assessed applies information system security engineering principles in the implementation of the information system and that changes are made IAW the configuration management plan (CM-9, CCI 001790). |
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/.
This CCI does not apply to COTS products.
The organization managing the acquisition/development of the information system must employ the procedures identified in SA-8, CCI, 000666 during the implementation of the information system. The system owner must maintain an audit trail of the activities conducted IAW SA-8, CCI 000666. An example of artifacts is CCB minutes, code review results, and source code analysis results. |
Security Engineering Principles |
SA-8 |
SA-8.4 |
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| CCI-000668 |
The organization applies information system security engineering principles in the modification of the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail artifacts that were created during the modification of SA-8, CCI 000666
to ensure that the organization being inspected/assessed applies information system security engineering principles in the modification of the information system and that changes are made IAW the configuration management plan (CM-9, CCI 001790). |
The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/.
This CCI does not apply to COTS products.
The organization managing the acquisition/development of the information system must employ the procedures identified in SA-8, CCI, 000666 during the modification of the information system. The system owner must maintain an audit trail of the activities conducted IAW SA-8, CCI 000666. An example of artifacts is CCB minutes, code review results, and source code analysis results.
|
Security Engineering Principles |
SA-8 |
SA-8.5 |
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. |
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| CCI-000669 |
The organization requires that providers of external information system services comply with organizational information security requirements. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that providers of external information system services comply with any organization-specific information security requirements. |
The organization being inspected/assessed documents within contracts/agreements, requirements that providers of external information system services comply with any organization-specific information security requirements. |
External Information System Services |
SA-9 |
SA-9.1 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000670 |
The organization requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that providers of external information system services employ security controls defined in CNSSI 1253.
DoD has defined the security controls as security controls defined by CNSSI 1253. |
The organization being inspected/assessed documents within contracts/agreements, the
requirement that providers of external information system services employ security controls defined in CNSSI 1253.
DoD has defined the security controls as security controls defined by CNSSI 1253. |
External Information System Services |
SA-9 |
SA-9.2 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000671 |
The organization defines government oversight with regard to external information system services. |
The organization conducting the inspection/assessment obtains and examines the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) to confirm the organization has clearly defined the government oversight to be conducted on external information system services and service providers. |
The organization being inspected/assessed must define in the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) the government oversight to be conducted on external information system services and service provider. |
External Information System Services |
SA-9 |
SA-9.4 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000672 |
The organization documents government oversight with regard to external information system services. |
The organization conducting the inspection/assessment obtains and examines the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) to confirm the organization has clearly established the government oversight to be conducted on external information system services and service providers. |
The organization being inspected/assessed must establish in the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) the government oversight to be conducted on external information system services and service provider. |
External Information System Services |
SA-9 |
SA-9.5 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000673 |
The organization defines user roles and responsibilities with regard to external information system services. |
The organization conducting the inspection/assessment obtains and examines the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) to confirm the organization has clearly defined the roles and responsibilities of all types of users of the external information system services. |
The organization being inspected/assessed must define in the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) the roles and responsibilities of all types of users of the external information system services. |
External Information System Services |
SA-9 |
SA-9.6 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000674 |
The organization documents user roles and responsibilities with regard to external information system services. |
The organization conducting the inspection/assessment obtains and examines the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) to confirm the organization has clearly established the roles and responsibilities of all types of users of the external information system services. |
The organization being inspected/assessed must establish in the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc.) the roles and responsibilities of all types of users of the external information system services. |
External Information System Services |
SA-9 |
SA-9.7 |
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| CCI-000675 |
The organization monitors security control compliance by external service providers. |
|
|
|
|
|
|
|
| CCI-000676 |
The organization conducts an organizational assessment of risk prior to the acquisition of dedicated information security services. |
|
|
|
|
|
|
|
| CCI-000677 |
The organization conducts an organizational assessment of risk prior to the outsourcing of dedicated information security services. |
|
|
|
|
|
|
|
| CCI-000678 |
The organization defines the senior organizational official designated to approve acquisition of dedicated information security services. |
|
|
|
|
|
|
|
| CCI-000679 |
The organization defines the senior organizational official designated to approve outsourcing of dedicated information security services. |
|
|
|
|
|
|
|
| CCI-000680 |
The organization ensures the acquisition of dedicated information security services is approved by an organization-designated senior organizational official. |
|
|
|
|
|
|
|
| CCI-000681 |
The organization ensures the outsourcing of dedicated information security services is approved by an organization-designated senior organizational official. |
|
|
|
|
|
|
|
| CCI-000702 |
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to create a security test and evaluation plan. |
|
|
|
|
|
|
|
| CCI-000703 |
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to implement a security test and evaluation plan. |
|
|
|
|
|
|
|
| CCI-000704 |
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to create a security test and evaluation plan. |
|
|
|
|
|
|
|
| CCI-000705 |
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to implement a security test and evaluation plan. |
|
|
|
|
|
|
|
| CCI-000706 |
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process. |
|
|
|
|
|
|
|
| CCI-000707 |
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process. |
|
|
|
|
|
|
|
| CCI-000708 |
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to document the results of the security testing/evaluation processes. |
|
|
|
|
|
|
|
| CCI-000709 |
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to document the results of the security flaw remediation processes. |
|
|
|
|
|
|
|
| CCI-000710 |
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to document the results of the security testing/evaluation processes. |
|
|
|
|
|
|
|
| CCI-000711 |
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to document the results of the security flaw remediation processes. |
|
|
|
|
|
|
|
| CCI-000712 |
The organization requires information system developers to employ code analysis tools to examine software for common flaws and document the results of the analysis. |
|
|
|
|
|
|
|
| CCI-000713 |
The organization requires information system integrators to employ code analysis tools to examine software for common flaws and document the results of the analysis. |
|
|
|
|
|
|
|
| CCI-000714 |
The organization requires information system developers to perform a vulnerability analysis to document vulnerabilities. |
|
|
|
|
|
|
|
| CCI-000715 |
The organization requires information system developers to perform a vulnerability analysis to document exploitation potential. |
|
|
|
|
|
|
|
| CCI-000716 |
The organization requires information system developers to perform a vulnerability analysis to document risk mitigations. |
|
|
|
|
|
|
|
| CCI-000717 |
The organization requires information system integrators to perform a vulnerability analysis to document vulnerabilities. |
|
|
|
|
|
|
|
| CCI-000718 |
The organization requires information system integrators to perform a vulnerability analysis to document exploitation potential. |
|
|
|
|
|
|
|
| CCI-000719 |
The organization requires information system integrators perform a vulnerability analysis to document risk mitigations. |
|
|
|
|
|
|
|
| CCI-000720 |
The organization requires information system developers implement the security test and evaluation plan under the witness of an independent verification and validation agent. |
|
|
|
|
|
|
|
| CCI-000721 |
The organization requires information system integrators to implement the security test and evaluation plan under the witness of an independent verification and validation agent. |
|
|
|
|
|
|
|
| CCI-000722 |
The organization defines the security safeguards to employ to protect against supply chain threats to the information system, system component, or information system service. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the requirements to protect against supply chain threats in DoDI 5200.44, "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)." |
DoD has defined the requirements to protect against supply chain threats in DoDI 5200.44, "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)." |
Supply Chain Protection |
SA-12 |
SA-12.1 |
Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR-4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7. |
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. |
| CCI-000723 |
The organization protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy. |
The organization conducting the inspection/assessment obtains and examines the Security Plan for the system to determine whether the system is a “covered system” IAW DoDI 5200.44.
If it is a covered system, the organization conducting the inspection/assessment obtains and examines documentation of compliance with DoDI 5200.44, to ensure the organization being inspected/assessed has:
1. Conducted a criticality analysis to identify mission critical functions and critical components and reduced the vulnerability of such functions and components through secure system design;
2. Requested threat analysis of suppliers of critical components from the TSN focal point and managed access to and control of threat analysis products containing U.S. person information;
3. Engaged TSN focal points for guidance on managing identified risk using DoD Components and Enterprise risk management resources; and
4. Applied TSN best practices, processes, techniques, and procurement tools prior to the acquisition of critical components or their integration into applicable systems, at any point in the system lifecycle. Such tools and practices include contract requirements and the SCRM key practices Guide. |
The organization being inspected/assessed must identify and document in the Security Plan whether the system is a “covered system” IAW DoDI 5200.44. If it is a covered system, the organization must implement the requirements below:
1. Conduct a criticality analysis to identify mission critical functions and critical components and reduce the vulnerability of such functions and components through secure system design;
2. Request threat analysis of suppliers of critical components from the TSN focal point and manage access to and control of threat analysis products containing U.S. person information;
3. Engage TSN focal points for guidance on managing identified risk using DoD Components and Enterprise risk management resources; and
4. Apply TSN best practices, processes, techniques, and procurement tools prior to the acquisition of critical components or their integration into applicable systems, at any point in the system lifecycle. Such tools and practices include contract requirements and the SCRM key practices Guide.
|
Supply Chain Protection |
SA-12 |
SA-12.2 |
Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR-4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7. |
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. |
| CCI-000724 |
The organization purchases all anticipated information system components and spares in the initial acquisition. |
|
|
|
|
|
|
|
| CCI-000725 |
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system hardware. |
|
|
|
|
|
|
|
| CCI-000726 |
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system software. |
|
|
|
|
|
|
|
| CCI-000727 |
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system firmware. |
|
|
|
|
|
|
|
| CCI-000728 |
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system services. |
|
|
|
|
|
|
|
| CCI-000729 |
The organization uses trusted shipping for information systems. |
|
|
|
|
|
|
|
| CCI-000730 |
The organization uses trusted shipping for information system components. |
|
|
|
|
|
|
|
| CCI-000731 |
The organization uses trusted shipping for information technology products. |
|
|
|
|
|
|
|
| CCI-000732 |
The organization uses trusted warehousing for information systems. |
|
|
|
|
|
|
|
| CCI-000733 |
The organization uses trusted warehousing for information system components. |
|
|
|
|
|
|
|
| CCI-000734 |
The organization uses trusted warehousing for information technology products. |
|
|
|
|
|
|
|
| CCI-000735 |
The organization employs a diverse set of suppliers for information systems. |
|
|
|
|
|
|
|
| CCI-000736 |
The organization employs a diverse set of suppliers for information system components. |
|
|
|
|
|
|
|
| CCI-000737 |
The organization employs a diverse set of suppliers for information technology products. |
|
|
|
|
|
|
|
| CCI-000738 |
The organization employs a diverse set of suppliers for information system services. |
|
|
|
|
|
|
|
| CCI-000739 |
The organization employs standard configurations for information systems. |
|
|
|
|
|
|
|
| CCI-000740 |
The organization employs standard configurations for information system components. |
|
|
|
|
|
|
|
| CCI-000741 |
The organization employs standard configurations for information technology products. |
|
|
|
|
|
|
|
| CCI-000742 |
The organization minimizes the time between purchase decisions and delivery of information systems. |
|
|
|
|
|
|
|
| CCI-000743 |
The organization minimizes the time between purchase decisions and delivery of information system components. |
|
|
|
|
|
|
|
| CCI-000744 |
The organization minimizes the time between purchase decisions and delivery of information technology products. |
|
|
|
|
|
|
|
| CCI-000745 |
The organization employs independent analysis and penetration testing against delivered information systems. |
|
|
|
|
|
|
|
| CCI-000746 |
The organization employs independent analysis and penetration testing against delivered information system components. |
|
|
|
|
|
|
|
| CCI-000747 |
The organization employs independent analysis and penetration testing against delivered information technology products. |
|
|
|
|
|
|
|
| CCI-000748 |
The organization defines level of trustworthiness for the information system. |
|
|
|
|
|
|
|
| CCI-000749 |
The organization requires that the information system meets the organization-defined level of trustworthiness. |
|
|
|
|
|
|
|
| CCI-000750 |
The organization defines the list of critical information system components that require re-implementation. |
|
|
|
|
|
|
|
| CCI-000751 |
The organization determines the organization-defined list of critical information system components that require re-implementation. |
|
|
|
|
|
|
|
| CCI-000752 |
The organization re-implements organization-defined critical information system components. |
|
|
|
|
|
|
|
| CCI-000753 |
The organization identifies information system components for which alternative sourcing is not viable. |
|
|
|
|
|
|
|
| CCI-000754 |
The organization defines measures to be employed to prevent critical security controls for information system components from being compromised. |
|
|
|
|
|
|
|
| CCI-000755 |
The organization employs organization-defined measures to ensure critical security controls for the information system components are not compromised. |
|
|
|
|
|
|
|
| CCI-000756 |
The organization develops an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03. |
DoD developed DoDI 8520.02 and DoDI 8520.03 as the identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000757 |
The organization disseminates to organization-defined personnel or roles an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the personnel or roles to be recipients of the identification and authentication policy and the procedures as the ISSO and ISSM and others as the local organization deems appropriate. |
DoD disseminates the DoDI 8520.02 and DoDI 8520.03 via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) to the ISSO and ISSM and others as the local organization deems appropriate as an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the personnel or roles to be recipients of the identification and authentication policy and the procedures as the ISSO and ISSM and others as the local organization deems appropriate. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000758 |
The organization reviews and updates identification and authentication policy in accordance with the organization-defined frequency. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD reviews and updates identification and authentication policy (DoDI 8520.02 and DoDI 8520.03) annually.
DoD Components are automatically compliant with this CCI because they are covered at the DoD level policies, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000759 |
The organization defines a frequency for reviewing and updating the identification and authentication policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000760 |
The organization develops procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03. |
DoD develops within DoDI 8520.02 and DoDI 8520.03, procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000761 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the personnel or roles to be recipients of the identification and authentication policy and the procedures as the ISSO and ISSM and others as the local organization deems appropriate. |
DoD disseminates the DoDI 8520.02 and DoDI 8520.03 to the ISSO and ISSM and others as the local organization deems appropriate via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html). DoDI 8520.02 and DoDI 8520.03 are procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000762 |
The organization reviews and updates identification and authentication procedures in accordance with the organization-defined frequency. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD reviews and updates identification and authentication procedures (DoDI 8520.02 and DoDI 8520.03) annually.
The organization being inspected/assessed is automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000763 |
The organization defines a frequency for reviewing and updating the identification and authentication procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as review annually - update as appropriate. |
DoD has defined the frequency as review annually - update as appropriate. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 764. |
The organization being inspected/assessed configures the information system to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 764. |
Identification And Authentication (Organizational Users) |
IA-2 |
IA-2.1 |
Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network.
Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8. |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| CCI-000765 |
The information system implements multifactor authentication for network access to privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for network access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 765. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for network access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 765. |
Identification And Authentication | Network Access To Privileged Accounts |
IA-2 (1) |
IA-2(1).1 |
Related control: AC-6. |
The information system implements multifactor authentication for network access to privileged accounts. |
| CCI-000766 |
The information system implements multifactor authentication for network access to non-privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for network access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 766. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for network access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 766. |
Identification And Authentication | Network Access To Non-Privileged Accounts |
IA-2 (2) |
IA-2(2).1 |
|
The information system implements multifactor authentication for network access to non-privileged accounts. |
| CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for local access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 767. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for local access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 767. |
Identification And Authentication | Local Access To Privileged Accounts |
IA-2 (3) |
IA-2(3).1 |
|
The information system implements multifactor authentication for local access to privileged accounts. |
| CCI-000768 |
The information system implements multifactor authentication for local access to non-privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for local access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 768. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for local access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 768. |
Identification And Authentication | Local Access To Non-Privileged Accounts |
IA-2 (4) |
IA-2(4).1 |
|
The information system implements multifactor authentication for local access to non-privileged accounts. |
| CCI-000769 |
The organization allows the use of group authenticators only when used in conjunction with an individual/unique authenticator. |
|
|
|
|
|
|
|
| CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
The organization conducting the inspection/assessment obtains and examines standard operating procedures or system documentation to ensure the organization being inspected/assessed requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 770. |
The organization being inspected/assessed requires individuals or configures the information system to require individuals to be authenticated with an individual authenticator when a group authenticator is employed.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 770. |
Identification And Authentication | Group Authentication |
IA-2 (5) |
IA-2(5).1 |
Requiring individuals to use individual authenticators as a second level of authentication helps organizations to mitigate the risk of using group authenticators. |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
| CCI-000771 |
The information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed. |
|
|
|
|
|
|
|
| CCI-000772 |
The information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed. |
|
|
|
|
|
|
|
| CCI-000773 |
The organization defines replay-resistant authentication mechanisms to be used for network access to privileged accounts. |
|
|
|
|
|
|
|
| CCI-000774 |
The information system uses organization-defined replay-resistant authentication mechanisms for network access to privileged accounts. |
|
|
|
|
|
|
|
| CCI-000775 |
The organization defines replay-resistant authentication mechanisms to be used for network access to non-privileged accounts. |
|
|
|
|
|
|
|
| CCI-000776 |
The information system uses organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts. |
|
|
|
|
|
|
|
| CCI-000777 |
The organization defines a list of specific and/or types of devices for which identification and authentication is required before establishing a connection to the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the value as all mobile devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
DoD has defined the value as all mobile devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
Device Identification And Authentication |
IA-3 |
IA-3.1 |
Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. Related controls: AC-17, AC-18, AC-19, CA-3, IA-4, IA-5. |
The information system uniquely identifies and authenticates [Assignment: organization defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. |
| CCI-000778 |
The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection. |
The organization conducting the inspection/assessment examine a sampling of the network infrastructure device configurations to ensure devices connecting to the infrastructure are uniquely identified.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 778. |
The organization being inspected/assessed configures the network infrastructure to identify all mobile devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs) before establishing a local, remote, network connection.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 778.
DoD has defined the value as all mobile devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
Device Identification And Authentication |
IA-3 |
IA-3.2 |
Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. Related controls: AC-17, AC-18, AC-19, CA-3, IA-4, IA-5. |
The information system uniquely identifies and authenticates [Assignment: organization defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. |
| CCI-000779 |
The information system authenticates devices before establishing remote network connections using bidirectional authentication between devices that is cryptographically based. |
|
|
|
|
|
|
|
| CCI-000780 |
The information system authenticates devices before establishing wireless network connections using bidirectional authentication between devices that is cryptographically based. |
|
|
|
|
|
|
|
| CCI-000781 |
The information system authenticates devices before establishing network connections using bidirectional authentication between devices that is cryptographically based. |
|
|
|
|
|
|
|
| CCI-000782 |
The organization standardizes, with regard to dynamic address allocation, Dynamic Host Control Protocol (DHCP) lease information and the time assigned to DHCP-enabled devices. |
|
|
|
|
|
|
|
| CCI-000783 |
The organization audits lease information when assigned to a device. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to record lease information in the audit log and examine the audit records to ensure the records have captured the appropriate information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 783. |
The organization being inspected/assessed configures the information system to record lease information in the audit log.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 783. |
Device Identification And Authentication | Dynamic Address Allocation |
IA-3 (3) |
IA-3(3).5 |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices. Related controls: AU-2, AU-3, AU-6, AU-12. |
The organization:
(a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audits lease information when assigned to a device. |
| CCI-000784 |
The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational official to assign a user identifier. |
|
|
|
|
|
|
|
| CCI-000785 |
The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational official to assign a device identifier. |
|
|
|
|
|
|
|
| CCI-000786 |
The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies an individual. |
|
|
|
|
|
|
|
| CCI-000787 |
The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies a device. |
|
|
|
|
|
|
|
| CCI-000788 |
The organization manages information system identifiers for users and devices by assigning the user identifier to the intended party. |
|
|
|
|
|
|
|
| CCI-000789 |
The organization manages information system identifiers for users and devices by assigning the device identifier to the intended device. |
|
|
|
|
|
|
|
| CCI-000790 |
The organization defines a time period for which the reuse of user identifiers is prohibited. |
|
|
|
|
|
|
|
| CCI-000791 |
The organization defines a time period for which the reuse of device identifiers is prohibited. |
|
|
|
|
|
|
|
| CCI-000792 |
The organization manages information system identifiers for users and devices by preventing reuse of user identifiers for an organization-defined time period. |
|
|
|
|
|
|
|
| CCI-000793 |
The organization manages information system identifiers for users and devices by preventing reuse of device identifiers for an organization-defined time period. |
|
|
|
|
|
|
|
| CCI-000794 |
The organization defines a time period of inactivity after which the identifier is disabled. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 35 days of inactivity. |
DoD has defined the time period as 35 days of inactivity. |
Identifier Management |
IA-4 |
IA-4.7 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-000795 |
The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity. |
The organization conducting the inspection/assessment examines the information system configuration to ensure that identifiers are disabled after 35 days of inactivity.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 795.
DoD has defined the time period as 35 days of inactivity. |
The organization being inspected/assessed configures the information system to disable identifiers after 35 days of inactivity.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 795.
DoD has defined the time period as 35 days of inactivity. |
Identifier Management |
IA-4 |
IA-4.8 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-000796 |
The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. |
The organization conducting the inspection/assessment obtains and examines documented process to ensure the organization being inspected/assessed prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. |
The organization being inspected/assessed documents and implements a process to prohibit the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. |
Identifier Management | Prohibit Account Identifiers As Public Identifiers |
IA-4 (1) |
IA-4(1).1 |
Prohibiting the use of information systems account identifiers that are the same as some public identifier such as the individual identifier section of an electronic mail address, makes it more difficult for adversaries to guess user identifiers on organizational information systems. Related control: AT-2. |
The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. |
| CCI-000797 |
The organization requires that registration to receive a user ID and password include authorization by a supervisor. |
|
|
|
|
|
|
|
| CCI-000798 |
The organization requires that registration to receive a user ID and password be done in person before a designated registration authority. |
|
|
|
|
|
|
|
| CCI-000799 |
The organization requires multiple forms of certification of individual identification, such as documentary evidence or a combination of documents and biometrics, be presented to the registration authority. |
The organization conducting the inspection/assessment obtains and examines the documented process and interviews personnel with identifier management responsibilities to ensure the organization being inspected/assessed requires multiple forms of certification of individual identification, such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
The organization being inspected/assessed documents and implements a process to require multiple forms of certification of individual identification, such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
Identifier Management | Multiple Forms Of Certification |
IA-4 (3) |
IA-4(3).1 |
Requiring multiple forms of identification reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries. |
The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. |
| CCI-000800 |
The organization defines characteristics for identifying individual status. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the characteristics as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil |
DoD has defined the characteristics as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil |
Identifier Management | Identify User Status |
IA-4 (4) |
IA-4(4).1 |
Characteristics identifying the status of individuals include, for example, contractors and foreign nationals. Identifying the status of individuals by specific characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor. Related control: AT-2. |
The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. |
| CCI-000801 |
The organization manages individual identifiers by uniquely identifying each individual by organization-defined characteristics identifying individual status. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed manages individual identifiers by uniquely identifying each individual as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil.
DoD has defined the characteristics as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil. |
The organization being inspected/assessed documents and implements a process to manage individual identifiers by uniquely identifying each individual as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil.
DoD has defined the characteristics as contractor or government employee and by nationality. User identifiers will follow the same format as DoD user e-mail addresses (john.smith.ctr@army.mil or john.smith.uk@army.mil);
- DoD user e-mail display names (e.g., John Smith, Contractor <john.smith.ctr@army.mil> or John Smith, United Kingdom <john.smith.uk@army.mil>); and
- automated signature blocks (e.g., John Smith, Contractor, J-6K, Joint Staff or John Doe, Australia, LNO, Combatant Command).
Contractors who are also foreign nationals are identified as both, e.g., john.smith.ctr.uk@army.mil. |
Identifier Management | Identify User Status |
IA-4 (4) |
IA-4(4).2 |
Characteristics identifying the status of individuals include, for example, contractors and foreign nationals. Identifying the status of individuals by specific characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor. Related control: AT-2. |
The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. |
| CCI-000802 |
The information system dynamically manages identifiers, attributes, and associated access authorizations. |
|
|
|
|
|
|
|
| CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 803. |
The organization being inspected/assessed configures the information system to implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 803. |
Cryptographic Module Authentication |
IA-7 |
IA-7.1 |
Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13. |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
| CCI-000804 |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 804. |
The organization being inspected/assessed configures the information system to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 804. |
Identification And Authentication (Non-Organizational Users) |
IA-8 |
IA-8.1 |
Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8. |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
| CCI-000805 |
The organization develops and documents an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000806 |
The organization disseminates an incident response policy to organization-defined personnel or roles. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
DoD disseminates via http://www.dtic.mil/cjcs_directives/, CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 to all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000807 |
The organization reviews and updates the current incident response policy in accordance with organization-defined frequency. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000808 |
The organization defines the frequency with which to review and update the current incident response policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of issuance. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000809 |
The organization develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meets the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000810 |
The organization disseminates incident response procedures to organization-defined personnel or roles. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2.
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
DoD disseminates via http://www.dtic.mil/cjcs_directives/, CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 to all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2.
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000811 |
The organization reviews and updates the current incident response procedures in accordance with organization-defined frequency. |
CJCSI 6510.01F "Information Assurance and Support to Computer Network Defense," CJCSM 6510.01B, "Cyber Incident Handling Program," DoDD O-8530.1, and DoDI O-8530.2 meet the DoD requirements for incident response policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered at the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD (in conjunction with Joint Staff for CJCSIs) reviews and updates current incident response procedures (CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2) annually.
DoD Components are automatically compliant with this CCI because they are covered at the DoD level with the following policies: CJCSI 6510.01F, CJCSM 6510.01B, DoDD O-8530.1, and DoDI O-8530.2.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000812 |
The organization defines the frequency with which to review and update the current incident response procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-000834 |
The organization defines a time period for personnel to report suspected security incidents to the organizational incident response capability. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance.
The organization conducting the inspection/assessment obtains and examines the incident response plan to determine if more stringent response time requirements have been identified. |
DoD has defined the time period as the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance.
If organizations decide to be more restrictive than the guidance in the CJCSM, then they should address the more restrictive response time requirements in their incident response plan. |
Incident Reporting |
IR-6 |
IR-6.1 |
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8. |
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and
b. Reports security incident information to [Assignment: organization-defined authorities]. |
| CCI-000835 |
The organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines the user agreement to ensure users are required to report suspected security incidents to the organizational incident response capability within the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance.
DoD has defined the time period as the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance. |
The organization being inspected/assessed documents within the user agreement the requirement for all system users to report suspected security incidents to the organizational incident response capability within the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance.
DoD has defined the time period as the timeframes specified by CJCSM 6510.01B (Table C-A-1) unless the data owner provides more restrictive guidance. |
Incident Reporting |
IR-6 |
IR-6.2 |
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8. |
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and
b. Reports security incident information to [Assignment: organization-defined authorities]. |
| CCI-000836 |
The organization reports security incident information to organization-defined authorities. |
The organization conducting the inspection/assessment obtains and examines a sample of previous security incidents to ensure the incidents were reported to the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
any security incidents IAW the incident response plan (IR-8). Reporting shall be conducted IAW CJCSM 6510.01B.
DoD has defined the authorities as the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
|
The organization being inspected/assessed documents and implements a process to report to the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).any security incidents IAW the incident response plan (IR-8). Reporting shall be conducted IAW CJCSM 6510.01B.
DoD has defined the authorities as the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
|
Incident Reporting |
IR-6 |
IR-6.3 |
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8. |
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and
b. Reports security incident information to [Assignment: organization-defined authorities]. |
| CCI-000837 |
The organization employs automated mechanisms to assist in the reporting of security incidents. |
The organization conducting the inspection/assessment obtains and examines the incident handling plan to ensure that there are procedures identified to leverage the JIMS. |
The organization being inspected/assessed will document within their incident handling plan, procedures to leverage the Joint Incident Management System (JIMS).
For the DoD, JIMS is the automated mechanism. |
Incident Reporting | Automated Reporting |
IR-6 (1) |
IR-6(1).1 |
Related control: IR-7. |
The organization employs automated mechanisms to assist in the reporting of security incidents. |
| CCI-000838 |
The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines a sample of previous security incidents to ensure the associated vulnerabilities were reported to personnel defined in IR-6 (2), CCI 2792 IAW the incident response plan (IR-8). Reporting shall be conducted IAW CJCSM 6510.01B. |
The organization being inspected/assessed documents and implements a process to report to personnel defined in IR-6 (2), CCI 2792 information system vulnerabilities associated with reported security incident IAW the incident response plan (IR-8). Reporting shall be conducted IAW CJCSM 6510.01B.
|
Incident Reporting | Vulnerabilities Related To Incidents |
IR-6 (2) |
IR-6(2).1 |
|
The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel]. |
| CCI-000839 |
The organization provides an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the information system for the handling and reporting of security incidents. |
The organization conducting the inspection/assessment will interview organizational users to determine awareness of incident response support services and quality of assistance of those services when used. If interviewing organizational users is not feasible, then review users manuals/documentation to ensures it identifies an incident response support service to contact. |
The organization being inspected/assessed will establish an incident response support service, analogous to an IT help desk, to provide advice and assistance to users for handling and reporting of security incidents.
|
Incident Response Assistance |
IR-7 |
IR-7.1 |
Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required. Related controls: AT-2, IR-4, IR-6, IR-8, SA-9. |
The organization provides an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the information system for the handling and reporting of security incidents. |
| CCI-000840 |
The organization employs automated mechanisms to increase the availability of incident response-related information and support. |
The organization conducting the inspection/assessment obtains and examines the incident response information sharing capability to validate the information sharing capability is available to organizational users. |
The organization being inspected/assessed will implement an automated intra-organization incident response information sharing capability to provide the following incident related information and support, for example:
1. SOP for incident reporting
2. Incident handling FAQ
3. Current incident activity awareness information
4. Incident response contact information
5. Incident report submission |
Incident Response Assistance | Automation Support For Availability Of Information / Support |
IR-7 (1) |
IR-7(1).1 |
Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. |
The organization employs automated mechanisms to increase the availability of incident response related information and support. |
| CCI-000841 |
The organization establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability. |
The organization conducting the inspection/assessment obtains and examines the formal agreement document between the organization and CNDSP to validate it is current and valid. |
The organization being inspected/assessed must establish a formal agreement with a computer network defense service provider (CNDSP). |
Incident Response Assistance | Coordination With External Providers |
IR-7 (2) |
IR-7(2).1 |
External providers of information system protection capability include, for example, the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. |
The organization:
(a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and
(b) Identifies organizational incident response team members to the external providers. |
| CCI-000842 |
The organization identifies organizational incident response team members to the external providers. |
The organization conducting the inspection/assessment obtains and examines the list of internal incident response team members to validate it is accurate and current. Interviews with CNDSP personnel and organizational incident response team members may also be conducted. |
The organization being inspected/assessed must provide and update the list of internal incident response team members as necessary throughout the lifecycle of the CNDSP agreement, in conjunction with the CNDSP agreement. |
Incident Response Assistance | Coordination With External Providers |
IR-7 (2) |
IR-7(2).2 |
External providers of information system protection capability include, for example, the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. |
The organization:
(a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and
(b) Identifies organizational incident response team members to the external providers. |
| CCI-000843 |
The organization develops an incident response plan that provides the organization with a roadmap for implementing its incident response capability; describes the structure and organization of the incident response capability; provides a high-level approach for how the incident response capability fits into the overall organization; meets the unique requirements of the organization, which relate to mission, size, structure, and functions; defines reportable incidents; provides metrics for measuring the incident response capability within the organization; and defines the resources and management support needed to effectively maintain and mature an incident response capability. |
|
|
|
|
|
|
|
| CCI-000844 |
The organization develops an incident response plan that is reviewed and approved by organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to validate it has been properly signed by at a minimum, the ISSM and ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
The organization being inspected/assessed will have an incident response plan signed and approved by at a minimum, the ISSM and ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
Incident Response Plan |
IR-8 |
IR-8.10 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000845 |
The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom copies of the incident response plan are distributed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the list as all stakeholders identified in the incident response plan. |
DoD has defined the list as all stakeholders identified in the incident response plan. |
Incident Response Plan |
IR-8 |
IR-8.11 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000846 |
The organization distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements. |
The organization conducting the inspection/assessment obtains and examines organizationally approved information sharing mechanism to validate all stakeholders identified in the incident response plan have adequate access to the incident response plan.
DoD has defined the list as all stakeholders identified in the incident response plan. |
The organization being inspected/assessed makes available to all stakeholders identified in the incident response plan via organizationally approved information sharing mechanism.
DoD has defined the list as all stakeholders identified in the incident response plan. |
Incident Response Plan |
IR-8 |
IR-8.12 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000847 |
The organization defines the frequency for reviewing the incident response plan. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually (incorporating lessons learned from past incidents). |
DoD has defined the frequency as at least annually (incorporating lessons learned from past incidents). |
Incident Response Plan |
IR-8 |
IR-8.13 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000848 |
The organization reviews the incident response plan on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to validate it is current and has been reviewed within the last year.
DoD has defined the frequency as at least annually (incorporating lessons learned from past incidents).
|
The organization being inspected/assessed will conduct reviews of its incident response plan at least annually.
DoD has defined the frequency as at least annually (incorporating lessons learned from past incidents). |
Incident Response Plan |
IR-8 |
IR-8.14 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000849 |
The organization updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing. |
The organization conducting the inspection/assessment obtains and examines documentation of the update actions for the incident response plan to ensure the organization is updating the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing and incorporating lessons learned from past incidents (IR-4a). |
The organization being inspected/assessed must update the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing and incorporate lessons learned from past incidents (IR-4a).
The organization must document the update actions as an audit trail. |
Incident Response Plan |
IR-8 |
IR-8.15 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000850 |
The organization communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements. |
The organization conducting the inspection/assessment examines the incident response plan via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been communicated to all stakeholders identified in the incident response plan, not later than 30 days after the change is made.
DoD has defined the incident response personnel as all stakeholders identified in the incident response plan, not later than 30 days after the change is made. |
The organization being inspected/assessed communicates incident response plan changes to all stakeholders identified in the incident response plan, not later than 30 days after the change is made.
DoD has defined the incident response personnel as all stakeholders identified in the incident response plan, not later than 30 days after the change is made. |
Incident Response Plan |
IR-8 |
IR-8.16 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-000865 |
The organization approves information system maintenance tools. |
The organization conducting the inspection/assessment:
1. obtains and examines the Security Plan to ensure the list of approved maintenance tools is documented;
2. ensures only the approved maintenance tools are used within the system. |
The organization being inspected/assessed documents the approved maintenance tools within the Security Plan. |
Maintenance Tools |
MA-3 |
MA-3.1 |
This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6. |
The organization approves, controls, and monitors information system maintenance tools. |
| CCI-000866 |
The organization controls information system maintenance tools. |
The organization conducting the inspection/assessment:
1. obtains and examines the Security Plan to identify the list of approved maintenance tools;
2. ensures the organization being inspected/assessed controls the approved information system maintenance tools. |
The organization being inspected/assessed controls information system maintenance tools that are approved IAW MA-3, CCI 865. |
Maintenance Tools |
MA-3 |
MA-3.2 |
This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6. |
The organization approves, controls, and monitors information system maintenance tools. |
| CCI-000867 |
The organization monitors information system maintenance tools. |
The organization conducting the inspection/assessment obtains and examines:
1. the Security Plan to identify the list of approved maintenance tools; and
2. documented procedures to identify how the use of maintenance tools is monitored; and
3. reviews evidence that the monitoring is conducted IAW the documented procedures. |
The organization being inspected/assessed develops and implements procedures to monitor the use of the approved information system maintenance tools IAW MA-3, CCI 865.
Records of monitoring activity must be maintained. |
Maintenance Tools |
MA-3 |
MA-3.3 |
This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6. |
The organization approves, controls, and monitors information system maintenance tools. |
| CCI-000868 |
The organization maintains, on an ongoing basis, information system maintenance tools. |
|
|
|
|
|
|
|
| CCI-000869 |
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. |
The organization conducting the inspection/assessment obtains and examines procedures for, and records of inspection of the maintenance tools carried into a facility by maintenance personnel to ensure the tools are inspected for improper or unauthorized modifications. |
The organization being inspected/assessed documents the procedures for and implements inspections of the maintenances tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Records of inspection must be maintained. |
Maintenance Tools | Inspect Tools |
MA-3 (1) |
MA-3(1).1 |
If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. Related control: SI-7. |
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. |
| CCI-000870 |
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. |
The organization conducting the inspection/assessment obtains and examines the procedures for checking all diagnostic and test media for malicious code, and a sampling of configuration files and audit logs of the tool set used to check media. The purpose of the review is to ensure the organization being inspected/assessed checks all media containing diagnostic and test programs for malicious code before the media are used in the information system. |
The organization being inspected/assessed:
1. documents and implements procedures to check all media containing diagnostic and test programs for malicious code before the media are used in the information system; and
2. Runs an automated tool set to check all media containing diagnostic and test programs for malicious code before the media are used in the information system.
The organization must maintain configuration files for the automated tool set and audit logs of the tool set used to check media. |
Maintenance Tools | Inspect Media |
MA-3 (2) |
MA-3(2).1 |
If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3. |
The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the information system. |
| CCI-000871 |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) verifying that there is no organizational information contained on the equipment; (b) sanitizing or destroying the equipment; (c) retaining the equipment within the facility; or (d) obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility. |
The organization conducting the inspection/assessment obtains and examines the documented process and record of maintenance equipment removal to ensure the organization being inspected/assessed takes one of the four actions listed in the implementation guidance. |
The organization being inspected/assessed documents and implements a process to take one of the following actions before authorizing removal of information equipment from the facility:
1. verify there is no organizational information contained on maintenance equipment;
2. Sanitize or destroy the equipment;
3. Retain the equipment within the facility; or
4. Obtain an exemption from personnel or roles defined in MA-3 (3), CCI 2882 explicitly authorizing removal of the equipment from the facility.
The organization must maintain a record of maintenance equipment removal and actions taken. |
Maintenance Tools | Prevent Unauthorized Removal |
MA-3 (3) |
MA-3(3).1 |
Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [Assignment: organization-defined personnel] explicitly authorizing removal of the equipment from the facility. |
| CCI-000872 |
The organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only. |
|
|
|
|
|
|
|
| CCI-000890 |
The organization establishes a process for maintenance personnel authorization. |
The organization conducting the inspection/assessment obtains and examines procedures addressing maintenance personnel to ensure that the organization being inspected/assessed has established processes for the authorization of maintenance personnel. |
The organization being inspected/assessed clearly defines, documents, and establishes a process for the authorization of maintenance personnel. |
Maintenance Personnel |
MA-5 |
MA-5.1 |
This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3. |
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
| CCI-000891 |
The organization maintains a list of authorized maintenance organizations or personnel. |
The organization conducting the inspection/assessment obtains and examines the current list of authorized maintenance organizations or personnel to ensure the organization being inspected/assessed is maintaining the list. |
The organization being inspected/assessed maintains a current list of authorized maintenance organizations or personnel. |
Maintenance Personnel |
MA-5 |
MA-5.2 |
This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3. |
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
| CCI-000892 |
The organization ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance. |
|
|
|
|
|
|
|
| CCI-000893 |
The organization implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens. |
The organization conducting the inspection/assessment obtains and examines the procedures identified in MA-5, CCI 890 to ensure it includes specific procedures for maintenance personnel that lack appropriate security clearances or are not U.S. citizens. |
The organization being inspected/assessed documents and implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. Citizens in the procedures documented IAW MA-5, CCI 890. |
Maintenance Personnel | Individuals Without Appropriate Access |
MA-5 (1) |
MA-5(1).1 |
This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. |
The organization:
(a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
(1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
(2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
(b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
| CCI-000894 |
The organization requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals to be escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified. |
The organization conducting the inspection/assessment obtains and examines the records of maintenance personnel who access the system to ensure the organization being inspected/assessed requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals to be escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified. |
The organization being inspected/assessed requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals to be escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified.
The organization must maintain records of maintenance personnel who access the system including information on escorts. |
Maintenance Personnel | Individuals Without Appropriate Access |
MA-5 (1) |
MA-5(1).2 |
This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. |
The organization:
(a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
(1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
(2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
(b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
| CCI-000895 |
The organization requires that, prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system be sanitized and all nonvolatile storage media be removed or physically disconnected from the system and secured. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed sanitizes, removes, or physically disconnects all nonvolatile storage media from the system prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals. |
The organization being inspected/assessed documents and implements a process to sanitize, remove, or physically disconnect all nonvolatile storage media from the system prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals. |
Maintenance Personnel | Individuals Without Appropriate Access |
MA-5 (1) |
MA-5(1).3 |
This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. |
The organization:
(a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
(1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
(2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
(b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
| CCI-000896 |
The organization requires that in the event an information system component cannot be sanitized, the procedures contained in the security plan for the system be enforced. |
|
|
|
|
|
|
|
| CCI-000897 |
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system. |
The organization being inspected/assessed documents and implements a process to ensure that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system. |
Maintenance Personnel | Security Clearances For Classified Systems |
MA-5 (2) |
MA-5(2).1 |
Related control: PS-3. |
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system. |
| CCI-000898 |
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. |
The organization being inspected/assessed documents and implements a process to ensure that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. |
Maintenance Personnel | Citizenship Requirements For Classified Systems |
MA-5 (3) |
MA-5(3).1 |
Related control: PS-3. |
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. |
| CCI-000899 |
The organization ensures that cleared foreign nationals (i.e., foreign nationals with appropriate security clearances) are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments. |
The organization being inspected/assessed documents and implements a process to ensure that cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments. |
Maintenance Personnel | Foreign Nationals |
MA-5 (4) |
MA-5(4).1 |
Related control: PS-3. |
The organization ensures that:
(a) Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and (b) Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems
are fully documented within Memoranda of Agreements. |
| CCI-000900 |
The organization ensures that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memorandum of Agreements. |
The organization being inspected/assessed documents and implements a process to ensure that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memorandum of Agreements. |
Maintenance Personnel | Foreign Nationals |
MA-5 (4) |
MA-5(4).2 |
Related control: PS-3. |
The organization ensures that:
(a) Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and (b) Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems
are fully documented within Memoranda of Agreements. |
| CCI-000901 |
The organization defines a list of security-critical information system components and/or key information technology components for which it will obtain maintenance support and/or spare parts. |
|
|
|
|
|
|
|
| CCI-000902 |
The organization defines a time period for obtaining maintenance support and/or spare parts for security-critical information system components and/or key information technology components. |
|
|
|
|
|
|
|
| CCI-000903 |
The organization obtains maintenance support and/or spare parts for organization-defined information system components within an organization-defined time period of failure. |
The organization conducting the inspection/assessment obtains evidence that maintenance support is available for information system components defined in MA-6, CCI 2896 and that the support will be provided within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability).
Evidence can include maintenance support contracts, inventories of spare parts, etc.
DoD has defined the time period as within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability). |
The organization being inspected/assessed obtains maintenance support and/or spare parts for information system components defined in MA-6, CCI 2896 within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability).
DoD has defined the time period as within 24 hours (Low and Moderate Availability) or immediately upon failure for (High Availability). |
Timely Maintenance |
MA-6 |
MA-6.1 |
Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place. Related controls: CM-8, CP-2, CP-7, SA-14, SA-15. |
The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure. |
| CCI-000904 |
The organization develops and documents a physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000905 |
The organization disseminates a physical and environmental protection policy to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 5200.08 and DoD 5200.08-R
DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities. |
DoD disseminates DoDI 5200.08 and DoD 5200.08-R organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html
DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000906 |
The organization reviews and updates the current physical and environmental protection policy in accordance with organization-defined frequency. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000907 |
The organization defines the frequency with which to review and update the physical and environmental protection policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000908 |
The organization develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000909 |
The organization disseminates physical and environmental protection procedures to organization-defined personnel or roles. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 5200.08 and DoD 5200.08-R
DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities. |
DoD disseminates DoDI 5200.08 and DoD 5200.08-R organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html
DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000910 |
The organization reviews and updates the current physical and environmental protection procedures in accordance with organization-defined frequency. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000911 |
The organization defines the frequency with which to review and update the physical and environmental protection procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Physical And Environmental Protection Policy And Procedures |
PE-1 |
PE-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. |
| CCI-000919 |
The organization enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides. |
The organization conducting the inspection/assessment performs a physical inspection of facility entry/exit points defined in PE-3, CCI 2915 to ensure that either physical access authorization controls are in place for those access points considered normal access points or are properly secured.
Physical access points that are not documented or are not secured would be a failure of this control. |
The organization being inspected/assessed will implement physical access authorizations at entry/exit points defined in PE-3, CCI 2915 and secure those physical access points (i.e. doors and/or windows) that are not intended for normal access. |
Physical Access Control |
PE-3 |
PE-3.1 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000920 |
The organization verifies individual access authorizations before granting access to the facility. |
The organization conducting the inspection/assessment obtains and examines the access authorization list of personnel that have access to the facility (per access list implemented through PE-2, CCI 000912) where the information system resides. Inspect selected facilities to confirm the inspected organization is granting access at all physical access points to only authorized personnel. |
The organization being inspected/assessed verifies and grants access to facilities based upon individual access authorizations. |
Physical Access Control |
PE-3 |
PE-3.3 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000921 |
The organization controls ingress/egress to the facility where the information system resides using one or more organization-defined physical access control systems/devices or guards. |
The organization conducting the inspection/assessment obtains and examines the list of physical access control devices and/or guards in use defined in PE-3, CCI 2916 and conducts random inspections of entry points. The purpose is to determine whether the organization is using those physical access devices and/or guards to control entry of personnel into the facility hosting the information system. |
The organization being inspected/assessed will control ingress/egress to the facility using the physical access control devices and/or guards defined in PE-3, CCI 2916. |
Physical Access Control |
PE-3 |
PE-3.4 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000922 |
The organization controls access to areas officially designated as publicly accessible in accordance with the organization^s assessment of risk. |
|
|
|
|
|
|
|
| CCI-000923 |
The organization secures keys, combinations, and other physical access devices. |
The organization conducting the inspection/assessment conducts physical inspections and interviews physical security/safety personnel to validate the organization has taken the proper precautions, and established the proper procedures to ensure it has adequately secured its keys, combinations, and other physical devices. |
The organization being inspected/assessed will secure as appropriate (in safes or secure containers) items used for physical access control such as keys, combinations, portable locks, etc. Fixed access control devices such as card readers, installed locks, key pads, etc. should be protected from tampering. |
Physical Access Control |
PE-3 |
PE-3.14 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000924 |
The organization inventories organization-defined physical access devices on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the records of inventory of minimally keys or any other physical token used to gain access to ensure the inventory is being conducted annually.
DoD has defined the frequency as annually.
DoD has defined the physical access devices as minimally keys or any other physical token used to gain access. |
The organization being inspected/assessed conducts and documents an inventory of minimally keys or any other physical token used to gain access annually.
Inventory documents must be retained for at least one year beyond the completion of the next inventory.
DoD has defined the frequency as annually.
DoD has defined the physical access devices as minimally keys or any other physical token used to gain access. |
Physical Access Control |
PE-3 |
PE-3.15 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000925 |
The organization defines the frequency for conducting inventories of organization-defined physical access devices. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Physical Access Control |
PE-3 |
PE-3.16 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000926 |
The organization changes combinations and keys in accordance with organization-defined frequency and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
The organization conducting the inspection/assessment obtains and examines documentation of these change actions to validate the organization is changing its keys and combinations upon occurrence of security relevant events and when keys are lost, combinations are compromised, or individuals are transferred or terminated.
DoD has defined the frequency as required by security relevant events. |
The organization being inspected/assessed will document each occurrence of these change actions, with the reason for the action, as an audit trail for future reference.
DoD has defined the frequency as required by security relevant events. |
Physical Access Control |
PE-3 |
PE-3.18 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000927 |
The organization defines a frequency for changing combinations and keys. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as required by security relevant event. |
DoD has defined the frequency as required by security relevant event. |
Physical Access Control |
PE-3 |
PE-3.19 |
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. |
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| CCI-000928 |
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility where the information system resides at organization-defined physical spaces containing one or more components of the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of additional physical access authorizations for the facility/facilities at physical spaces containing one or more components of the information system.
The objective of the examination is to determine if the organization is enforcing additional physical access authorizations to areas of the facility at physical spaces containing one or more components of the information system defined in PE-3 (1), CCI 2926. These controls are independent of the physical access controls established for the facility. |
The organization being inspected/assessed will
provide documentation of additional physical access authorizations for the facility/facilities at physical spaces containing one or more components of the information system defined in PE-3 (1), CCI 2926.
The organization will ensure that these controls are separate from, and independent of, the physical access controls established for the facility. |
Physical Access Control | Information System Access |
PE-3 (1) |
PE-3(1).1 |
This control enhancement provides additional physical security for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers). Related control: PS-2. |
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]. |
| CCI-000929 |
The organization performs security checks in accordance with organization-defined frequency at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components. |
The organization conducting the inspection/assessment obtains and examines the documented procedures as well as the audit trail of security checks at the physical boundary to ensure the organization being inspected/assessed performs security checks at the physical boundary of the facility or information system at a minimum, annually.
DoD has defined the frequency as at a minimum, annually. |
The organization being inspected/assessed documents and implements procedures to perform security checks at the physical boundary of the facility or information system at a minimum, annually.
The organization must maintain an audit trail of security checks at the physical boundary.
DoD has defined the frequency as at a minimum, annually. |
Physical Access Control | Facility / Information System Boundaries |
PE-3 (2) |
PE-3(2).1 |
Organizations determine the extent, frequency, and/or randomness of security checks to adequately mitigate risk associated with exfiltration. Related controls: AC-4, SC-7. |
The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components. |
| CCI-000930 |
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week. |
The organization conducting the inspection/assessment obtains the list of guards or alarms for every physical access point to the facility where the information system resides and visually verifies a sampling of access points to ensure the appropriate guard or alarm to monitor is in place 24 hours per day, 7 days per week. |
The organization being inspected/assessed employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
The organization must create and maintain a list of guards or alarms for every physical access point to the facility where the information system resides 24 hours per day, 7 days per week. |
Physical Access Control | Continuous Guards / Alarms / Monitoring |
PE-3 (3) |
PE-3(3).1 |
Related controls: CP-6, CP-7. |
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week. |
| CCI-000931 |
The organization uses lockable physical casings to protect organization-defined information system components from unauthorized physical access. |
The organization conducting the inspection/assessment performs a sample inspection of the lockable physical casings. The objective of the reviews is to validate the organization is using lockable physical casings to protect organization-defined information system components from unauthorized physical access. |
The organization being inspected/assessed will deploy and install lockable physical casings designed to protect organization-defined information system components from unauthorized physical access. |
Physical Access Control | Lockable Casings |
PE-3 (4) |
PE-3(4).1 |
|
The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access. |
| CCI-000932 |
The organization defines information system components to be protected from unauthorized physical access using lockable physical casings. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines information system components to be protected from unauthorized physical access using lockable physical casings.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information system components to be protected from unauthorized physical access using lockable physical casings.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Physical Access Control | Lockable Casings |
PE-3 (4) |
PE-3(4).2 |
|
The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access. |
| CCI-000933 |
The organization employs organization-defined security safeguards to deter and/or prevent physical tampering or alteration of organization-defined hardware components within the information system. |
The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed employs security safeguards defined in PE-3 (5), CCI 2928 to deter and or prevent physical tampering or alteration of hardware components defined in PE-3 (5), CCI 2929 within the information system. |
The organization being inspected/assessed employs security safeguards defined in PE-3 (5), CCI 2928 to deter and or prevent physical tampering or alteration of hardware components defined in PE-3 (5), CCI 2929 within the information system. |
Physical Access Control | Tamper Protection |
PE-3 (5) |
PE-3(5).1 |
Organizations may implement tamper detection/prevention at selected hardware components or tamper detection at some components and tamper prevention at other components. Tamper detection/prevention activities can employ many types of anti-tamper technologies including, for example, tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks. Related control: SA-12. |
The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization defined hardware components] within the information system. |
| CCI-000934 |
The organization employs a penetration testing process that includes unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the inspected organization's physical security assessment plan and reviews documented results to ensure annual penetration testing of physical access points occurred.
DoD has defined the frequency as annually. |
The organization being inspected/assessed executes a penetration testing process annually, that includes unannounced attempts, as defined in its physical security assessment plan for testing effectiveness of security controls in place for physical access points to the facility. Results of all penetration testing will be documented as an audit trail.
DoD has defined the frequency as annually. |
Physical Access Control | Facility Penetration Testing |
PE-3 (6) |
PE-3(6).1 |
Related controls: CA-2, CA-7. |
The organization employs a penetration testing process that includes [Assignment: organization defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility. |
| CCI-000935 |
The organization defines the frequency of unannounced attempts to be included in a penetration testing process to bypass or circumvent security controls associated with physical access points to the facility. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Physical Access Control | Facility Penetration Testing |
PE-3 (6) |
PE-3(6).2 |
Related controls: CA-2, CA-7. |
The organization employs a penetration testing process that includes [Assignment: organization defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility. |
| CCI-000936 |
The organization controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards. |
The organization conducting the inspection/assessment inspects the information system distribution and transmission lines defined in PE-4, CCI 2930 to ensure the security safeguards defined in PE-4, CCI 2931 are in place. |
The organization being inspected/assessed controls physical access to information system distribution and transmission lines defined in PE-4, CCI 2930 within organizational facilities using security safeguards defined in PE-4, CCI 2931. |
Access Control For Transmission Medium |
PE-4 |
PE-4.1 |
Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. |
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using
[Assignment: organization-defined security safeguards]. |
| CCI-000937 |
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. |
The organization conducting the inspection/assessment obtains and examines the list of additional access controls for output devices. Physical inspection is required to ensure these access controls are properly implemented. |
The organization being inspected/assessed will identify, document, and execute any additional access controls required for output devices above and beyond physical access controls already in place for the facility IAW DoD 5200.08-R and DoD 5200.01-M (Volumes 1-4). |
Access Control For Output Devices |
PE-5 |
PE-5.1 |
Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. |
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. |
| CCI-000938 |
The organization monitors physical access to the information system to detect and respond to physical security incidents. |
|
|
|
|
|
|
|
| CCI-000939 |
The organization reviews physical access logs in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the inspected organization's physical access logs or records; physical access incident reports; and any other relevant documents or records. The purpose of the reviews is to determine if the organization is conducting reviews of the physical access logs every 30 days.
DoD has defined the frequency as every 30 days. |
The organization being inspected/assessed will review physical access logs every 30 days.
The organization must document each occurrence the physical access log review, with results of any necessary incident analysis and action taken, as an audit trail for future reference.
DoD has defined the frequency as every 30 days. |
Monitoring Physical Access |
PE-6 |
PE-6.4 |
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8. |
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability. |
| CCI-000940 |
The organization defines a frequency for reviewing physical access logs. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 30 days. |
DoD has defined the frequency as every 30 days. |
Monitoring Physical Access |
PE-6 |
PE-6.5 |
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8. |
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability. |
| CCI-000941 |
The organization coordinates results of reviews and investigations with the organization^s incident response capability. |
The organization conducting the inspection/assessment obtains and examines documentation of physical security incidents to ensure coordination with the inspected organization's incident response capability occurred. |
The organization being inspected/assessed will coordinate the results of reviews and investigations of physical security incidents with the organization's incident response capability (for physical security incidents). |
Monitoring Physical Access |
PE-6 |
PE-6.6 |
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8. |
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability. |
| CCI-000942 |
The organization monitors physical intrusion alarms and surveillance equipment. |
The organization conducting the inspection/assessment will observe and interview security personnel conducting monitoring activities to validate the organization is actively monitoring all physical intrusion alarms and surveillance equipment. |
The organization being inspected/assessed will actively monitor physical intrusion alarms and surveillance equipment. |
Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment |
PE-6 (1) |
PE-6(1).1 |
|
The organization monitors physical intrusion alarms and surveillance equipment. |
| CCI-000943 |
The organization employs automated mechanisms to recognize potential intrusions and initiate designated response actions. |
|
|
|
|
|
|
|
| CCI-000944 |
The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible. |
|
|
|
|
|
|
|
| CCI-000945 |
The organization escorts visitors and monitors visitor activity, when required. |
|
|
|
|
|
|
|
| CCI-000946 |
The organization requires two forms of identification for visitor access to the facility. |
|
|
|
|
|
|
|
| CCI-000947 |
The organization maintains visitor access records to the facility where the information system resides for an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines visitor access records to determine if the organization is maintaining visitor access records to the facility where the information system resides for at least one year.
DoD has defined the time period as at least one year. |
The organization being inspected/assessed must maintain visitor access records for their facilities for at least one year.
DoD has defined the time period as at least one year. |
Visitor Access Records |
PE-8 |
PE-8.1 |
Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. |
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency]. |
| CCI-000948 |
The organization reviews visitor access records in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit documentation of visitor access record review to ensure the inspected organization is conducting reviews every 30 days.
DoD has defined the frequency as every 30 days. |
The organization being inspected/assessed conducts reviews of visitor access records every 30 days and must establish and maintain a documented audit trail within the authorization lifecycle.
DoD has defined the frequency as every 30 days. |
Visitor Access Records |
PE-8 |
PE-8.3 |
Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. |
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency]. |
| CCI-000949 |
The organization defines the frequency with which to review the visitor access records for the facility where the information system resides. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 30 days. |
DoD has defined the frequency as every 30 days. |
Visitor Access Records |
PE-8 |
PE-8.4 |
Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. |
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency]. |
| CCI-000950 |
The organization employs automated mechanisms to facilitate the maintenance and review of access records. |
The organization conducting the inspection/assessment:
1. obtains documentation identifying the automated mechanism in use by the inspected organization to facilitate the maintenance and review of access records
2. Observes the use of the automated mechanism by the inspected organization |
The organization being inspected/assessed will identify, document, and employ automated mechanisms to facilitate the maintenance and review of access records. |
Visitor Access Records | Automated Records Maintenance / Review |
PE-8 (1) |
PE-8(1).1 |
|
The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records. |
| CCI-000951 |
The organization maintains a record of all physical access, both visitor and authorized individuals. |
|
|
|
|
|
|
|
| CCI-000952 |
The organization protects power equipment and power cabling for the information system from damage and destruction. |
The organization conducting the inspection/assessment obtains and examines the list of protective measures. Physical inspection of power equipment and power cabling will be done to ensure identified protective measures are in place. |
The organization being inspected/assessed provides a list of protective measures in place to prevent damage and/or destruction of power equipment and power cabling for their information system environment, IAW CP-2 (1), CCI 469. |
Power Equipment And Cabling |
PE-9 |
PE-9.1 |
Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites. Related control: PE-4. |
The organization protects power equipment and power cabling for the information system from damage and destruction. |
| CCI-000953 |
The organization employs redundant and parallel power cabling paths. |
|
|
|
|
|
|
|
| CCI-000954 |
The organization employs automatic voltage controls for organization-defined critical information system components. |
The organization conducting the inspection/assessment obtains the documentation of the all mission critical IT Components required to have automatic voltage controls mechanisms devices in place (IAW PE-9 (2), CCI 955) and does a visual inspection of at least a sample of the above list to ensure automatic voltage control mechanisms are in place.
DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions. |
The organization being inspected/assessed
employs automatic voltage controls for all IT Components Critical to Execution of Missions.
Automatic voltage controls are devices intended to eliminate voltage fluctuations (e.g., spikes). This controls apply to voltage controls for mission critical IT Components and not for facilities.
DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions. |
Power Equipment And Cabling | Automatic Voltage Controls |
PE-9 (2) |
PE-9(2).1 |
|
The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components]. |
| CCI-000955 |
The organization defines critical information system components that require automatic voltage controls. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions. |
The organization being inspected/assessed must document all IT Components Critical to Execution of Missions.
DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions. |
Power Equipment And Cabling | Automatic Voltage Controls |
PE-9 (2) |
PE-9(2).2 |
|
The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components]. |
| CCI-000956 |
The organization provides the capability of shutting off power to the information system or individual system components in emergency situations. |
The organization conducting the inspection/assessment obtains and examines documentation of the capability to shut off the power to facilities or areas within facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms) in emergency situations.
The purpose is to validate the organization has provided the capability of shutting off power in emergency situations. |
This control does not apply to individual workstations, laptops, printers, etc. This control only applies to facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms).
The organization being inspected/assessed will establish and document the capability to shut off the power to facilities or areas within facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms) in emergency situations. |
Emergency Shutoff |
PE-10 |
PE-10.1 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related control: PE-15. |
The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation. |
| CCI-000957 |
The organization places emergency shutoff switches or devices in an organization-defined location by information system or system component to facilitate safe and easy access for personnel. |
The organization conducting the inspection/assessment will physically inspect emergency shutoff switches or devices for placement to validate the organization has installed the emergency shutoff switches or devices near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off to facilitate safe and easy access for personnel.
DoD has defined the location as near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off. |
This control does not apply to individual workstations, laptops, printers, etc. This control only applies to facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms).
The organization being inspected/assessed places emergency shutoff switches or devices near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off to facilitate safe and easy access for personnel.
DoD has defined the location as near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off. |
Emergency Shutoff |
PE-10 |
PE-10.2 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related control: PE-15. |
The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation. |
| CCI-000958 |
The organization defines a location for emergency shutoff switches or devices by information system or system component. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off. |
DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off. |
Emergency Shutoff |
PE-10 |
PE-10.3 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related control: PE-15. |
The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation. |
| CCI-000959 |
The organization protects emergency power shutoff capability from unauthorized activation. |
The organization conducting the inspection/assessment will ensure that the inspected organization has protected emergency power shutoff capability.
DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off. |
The organization being inspected/assessed will protect emergency power shutoff capability.
DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off. |
Emergency Shutoff |
PE-10 |
PE-10.4 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related control: PE-15. |
The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation. |
| CCI-000960 |
The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss. |
|
|
|
|
|
|
|
| CCI-000961 |
The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. |
The organization conducting the inspection/assessment obtains and examines the list of physical IT assets within the boundary of the information system that require a long term alternate power supply. Physically inspect a sample from the list to ensure that long term power supply capability supporting minimal operational capability has been provided. |
The organization being inspected/assessed will:
1. implement alternate power supply capable of supporting minimal operational capability over the long term.
2. Provide a list of physical IT assets within the boundary of the information system that require a long term alternate power supply. This list may come from the inspected organization's security plan, continuity plan, or other documentation. |
Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability |
PE-11 (1) |
PE-11(1).1 |
This control enhancement can be satisfied, for example, by the use of a secondary commercial power supply or other external power supply. Long-term alternate power supplies for the information system can be either manually or automatically activated. |
The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. |
| CCI-000962 |
The organization provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation. |
|
|
|
|
|
|
|
| CCI-000963 |
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. |
The organization conducting the inspection/assessment conducts visual inspections and interviews physical security personnel to validate the organization is in compliance with established OSHA requirements by employing and maintaining emergency lighting for the information system, the emergency lighting activates in the event of a power outage or disruption, and it covers emergency exits and evacuation routes within the facility |
The organization being inspected/assessed must install and maintain automatic emergency lighting for the information system that activates in the event of a power outage or disruption and covers emergency exits and evacuation routes within the facility in compliance with established OSHA requirements. |
Emergency Lighting |
PE-12 |
PE-12.1 |
This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related controls: CP-2, CP-7. |
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. |
| CCI-000964 |
The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions. |
|
|
|
|
|
|
|
| CCI-000981 |
The organization authorizes organization-defined types of information system components entering and exiting the facility. |
The organization conducting the inspection/assessment obtains and examines records authorizing all system components entering and exiting the facility.
DoD has defined the types of information system components as all system components. |
The organization being inspected/assessed authorizes and maintains authorization records of all system components entering and exiting the facility.
DoD has defined the types of information system components as all system components. |
Delivery And Removal |
PE-16 |
PE-16.1 |
Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. |
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. |
| CCI-000982 |
The organization monitors organization-defined types of information system components entering and exiting the facility. |
The organization conducting the inspection/assessment obtains and examines records monitoring all system components entering and exiting the facility.
DoD has defined the types of information system components as all system components. |
The organization being inspected/assessed monitors all system components entering and exiting the facility.
DoD has defined the types of information system components as all system components. |
Delivery And Removal |
PE-16 |
PE-16.2 |
Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. |
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. |
| CCI-000983 |
The organization controls organization-defined types of information system components entering and exiting the facility. |
The organization conducting the inspection/assessment obtains and examines the physical and environmental protection plan to determine if controls have been documented for all system components entering and exiting the facility and visually inspects the controls (e.g., logs, scans, etc.) to ensure implementation.
DoD has defined the types of information system components as all system components. |
The organization being inspected/assessed:
1. Documents in their physical and environmental protection plan (PE-1) controls for all system components entering and exiting the facility.
2. Implements documented controls for system components entering and exiting the facility.
DoD has defined the types of information system components as all system components. |
Delivery And Removal |
PE-16 |
PE-16.3 |
Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. |
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. |
| CCI-000984 |
The organization maintains records of information system components entering and exiting the facility. |
The organization conducting the inspection/assessment obtains and examines records of physical entry and exit events to the facility. The purpose of the reviews is to ensure the organization is maintaining detailed and accurate records of information system components that enter and exit the facility.
If the organization is following GRS 18, Section 12 they are automatically compliant. |
The organization being inspected/assessed will maintain records of all information system components entering and exiting the facility.
If the organization is following General Records Schedule (GRS) 18, Section 12 they are automatically compliant. |
Delivery And Removal |
PE-16 |
PE-16.4 |
Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. |
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. |
| CCI-000985 |
The organization employs organization-defined security controls at alternate work sites. |
The organization conducting the inspection/assessment obtains and examines the alternate work site policy of the organization being inspected/assessed to ensure the organization implements security controls defined in PE-17, CCI 2975 at alternate work sites. |
The organization being inspected/assessed implements security controls defined in PE-17, CCI 2975 at alternate work sites.
Alternate work sites are further defined in the definitions associated with this implementation guide.
Organizational telework policies should be used to address alternate work sites that are private residences.
Comment:
For classified information see DoD 5200.01 Vol 3 Manual |
Alternate Work Site |
PE-17 |
PE-17.1 |
Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. |
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. |
| CCI-000986 |
The organization defines management, operational, and technical information system security controls to be employed at alternate work sites. |
|
|
|
|
|
|
|
| CCI-000987 |
The organization assesses as feasible, the effectiveness of security controls at alternate work sites. |
The organization conducting the inspection/assessment obtains and examines:
1. The procedures for assessing the effectiveness of alternate work site security controls.
2. The audit records of assessments they have conducted of security controls effectiveness for alternate work sites. |
The organization being inspected/assessed must implement procedures to assess, when feasible, the effectiveness of the documented alternate work site security controls.
The organization must document results of conducted assessments as part of an audit trail.
Alternate work sites are further defined in the definitions associated with this implementation guide. |
Alternate Work Site |
PE-17 |
PE-17.3 |
Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. |
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. |
| CCI-000988 |
The organization provides a means for employees to communicate with information security personnel in case of security incidents or problems. |
The organization conducting the inspection/assessment obtains and examines contact information for appropriate security personnel to ensure its accuracy and dissemination. |
The organization being inspected/assessed must disseminate current contact information for appropriate security personnel to all employees; for example, telephone or e-mail. |
Alternate Work Site |
PE-17 |
PE-17.4 |
Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. |
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. |
| CCI-000989 |
The organization positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards. |
The organization conducting the inspection/assessment reviews the physical and environmental protection policy developed in PE-1, CCI 000904 to validate that the systems have been positioned according to the environmental policy. |
The organization being inspected/assessed positions information system components within the facility to minimize potential damage from physical and environmental hazards defined in PE-18, CCI 2976 specific to the location of the information system as documented in PE-1, CCI 000904. |
Location Of Information System Components |
PE-18 |
PE-18.1 |
Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3. |
The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. |
| CCI-000990 |
The organization positions information system components within the facility to minimize potential damage from environmental hazards. |
|
|
|
|
|
|
|
| CCI-000991 |
The organization positions information system components within the facility to minimize the opportunity for unauthorized access. |
The organization conducting the inspection/assessment reviews the physical and environmental protection policy developed in PE-1, CCI 000904 to validate that the systems have been positioned according to the environmental policy. |
The organization being inspected/assessed positions information system components within the facility to minimize the opportunity for unauthorized access specific to the location of the information system as documented in PE-1, CCI 00904. |
Location Of Information System Components |
PE-18 |
PE-18.2 |
Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3. |
The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. |
| CCI-000992 |
The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards, and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. |
|
|
|
|
|
|
|
| CCI-000993 |
The organization protects the information system from information leakage due to electromagnetic signals emanations. |
The organization conducting the inspection/assessment obtains and examines the TEMPEST countermeasures review and inspects the information system to ensure those countermeasures have been implemented. |
The organization being inspected/assessed will obtain a TEMPEST countermeasure review and implement the required countermeasures in order to protect the information system from information leakage due to electromagnetic signals emanations. |
Information Leakage |
PE-19 |
PE-19.1 |
Information leakage is the intentional or unintentional release of information to an untrusted environment from electromagnetic signals emanations. Security categories or classifications of information systems (with respect to confidentiality) and organizational security policies guide the selection of security controls employed to protect systems against information leakage due to electromagnetic signals emanations. |
The organization protects the information system from information leakage due to electromagnetic signals emanations. |
| CCI-000994 |
The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information. |
The organization conducting the inspection/assessment obtains and examines the TEMPEST countermeasures review and inspects the information system to ensure those countermeasures have been implemented. |
The organization being inspected/assessed will obtain a TEMPEST countermeasure review and implement the required countermeasures in order to protect the information system from information leakage due to electromagnetic signals emanations. |
Information Leakage | National Emissions / Tempest Policies And Procedures |
PE-19 (1) |
PE-19(1).1 |
|
The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information. |
| CCI-000995 |
The organization develops and documents a media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-000996 |
The organization disseminates to organization-defined personnel or roles a media protection policy. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures and is disseminated to all users via http://www.dtic.mil/whs/directives/corres/ins1.html.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-000997 |
The organization reviews and updates the current media protection policy in accordance with organization-defined frequency. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-000998 |
The organization defines a frequency for reviewing and updating the current media protection policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-000999 |
The organization develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-001000 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the media protection policy and associated media protection controls. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures and is disseminated to all users via http://www.dtic.mil/whs/directives/corres/ins1.html.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-001001 |
The organization reviews and updates the current media protection procedures in accordance with organization-defined frequency. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
DoDI 5200.01 and DoDM 5200.01 Vol. 1-4 meet the DoD requirements for media protection policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.01 and DoDM 5200.01 Vol. 1-4. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-001002 |
The organization defines a frequency for reviewing and updating the current media protection procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually as appropriate. |
DoD has defined the frequency as reviewed annually as appropriate. |
Media Protection Policy And Procedures |
MP-1 |
MP-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency]. |
| CCI-001003 |
The organization restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles. |
The organization conducting the inspection/assessment interviews organizational personnel with information system media protection responsibilities to ensure the organization being inspected/assessed restricts access to all types of digital and/or non-digital media containing information not cleared for public release to the personnel or roles defined in MP-2, CCI 1005.
DoD has defined the types of digital and non-digital media as all types of digital and/or non-digital media containing information not cleared for public release.
|
The organization being inspected/assessed restricts access to all types of digital and/or non-digital media containing information not cleared for public release to the personnel or roles defined in MP-2, CCI 1005.
DoD has defined the types of digital and non-digital media as all types of digital and/or non-digital media containing information not cleared for public release. |
Media Access |
MP-2 |
MP-2.1 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2. |
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. |
| CCI-001004 |
The organization defines types of digital and/or non-digital media for which the organization restricts access. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the types of digital and non-digital media as all types of digital and/or non-digital media containing information not cleared for public release.
|
DoD has defined the types of digital and non-digital media as all types of digital and/or non-digital media containing information not cleared for public release.
|
Media Access |
MP-2 |
MP-2.2 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2. |
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. |
| CCI-001005 |
The organization defines personnel or roles from which to restrict access to organization-defined types of digital and/or non-digital media. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to restrict access to media to ensure the access is granted IAW DoD 5200.01-M, CTO 10-133, and CTO 08-001.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level, but personnel must be identified
IAW DoD 5200.01-M, CTO 10-133, and CTO 08-001. |
The organization being inspected/assessed will define and document personnel or roles to restrict access to media IAW DoD 5200.01-M, CTO 10-133, and CTO 08-001.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level, but personnel must be identified
IAW DoD 5200.01-M, CTO 10-133, and CTO 08-001. |
Media Access |
MP-2 |
MP-2.3 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2. |
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. |
| CCI-001006 |
The organization defines security measures for restricting access to media. |
|
|
|
|
|
|
|
| CCI-001007 |
The organization employs automated mechanisms to restrict access to media storage areas. |
The organization conducting the inspection/assessment examines the information system's environment to ensure the organization being inspected/assessed implements automated mechanisms to restrict access to media storage areas. |
The organization being inspected/assessed implements automated mechanisms to restrict access to media storage areas. |
Media Storage | Automated Restricted Access |
MP-4 (2) |
MP-4(2).1 |
Automated mechanisms can include, for example, keypads on the external entries to media storage areas. Related controls: AU-2, AU-9, AU-6, AU-12. |
The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted. |
| CCI-001008 |
The organization employs automated mechanisms to audit access attempts and access granted to media storage areas. |
The organization conducting the inspection/assessment examines the information system's environment to ensure the organization being inspected/assessed implements automated mechanisms to audit access attempts and access granted to media storage areas. |
The organization being inspected/assessed implements automated mechanisms to audit access attempts and access granted to media storage areas. |
Media Storage | Automated Restricted Access |
MP-4 (2) |
MP-4(2).2 |
Automated mechanisms can include, for example, keypads on the external entries to media storage areas. Related controls: AU-2, AU-9, AU-6, AU-12. |
The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted. |
| CCI-001009 |
The information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media. |
|
|
|
|
|
|
|
| CCI-001014 |
The organization physically controls and securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas. |
The organization conducting the inspection/assessment obtains and examines the list of all digital and non-digital media containing sensitive, controlled, and/or classified information within areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media to ensure that physical controls are in place and that it is securely stored as defined in PE-3.
DoD has defined the digital and non-digital media types as all digital and non-digital media containing sensitive, controlled, and/or classified information.
DoD has defined the controlled areas as areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media. |
The organization being inspected/assessed physically controls and securely stores all digital and non-digital media containing sensitive, controlled, and/or classified information within areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media.
DoD has defined the digital and non-digital media types as all digital and non-digital media containing sensitive, controlled, and/or classified information.
DoD has defined the controlled areas as areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media. |
Media Storage |
MP-4 |
MP-4.1 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. |
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
| CCI-001015 |
The organization defines types of digital and/or non-digital media to physically control and securely store within organization-defined controlled areas. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the digital and non-digital media types as all digital and non-digital media containing sensitive, controlled, and/or classified information. |
DoD has defined the digital and non-digital media types as all digital and non-digital media containing sensitive, controlled, and/or classified information. |
Media Storage |
MP-4 |
MP-4.2 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. |
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
| CCI-001016 |
The organization defines controlled areas where organization-defined types of digital and/or non-digital media are physically controlled and securely stored. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the controlled areas as areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media. |
DoD has defined the controlled areas as areas approved for processing or storing data IAW the sensitivity and/or classification level of the information contained on/within the media. |
Media Storage |
MP-4 |
MP-4.3 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. |
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
| CCI-001017 |
The organization defines security measures for securing media storage. |
|
|
|
|
|
|
|
| CCI-001018 |
The organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
The organization conducting the inspection/assessment obtains and examines the list of media and verifies it is being stored and protected IAW DoDM 5200.01 M Vol. 1-4. |
The organization being inspected/assessed protects information system media IAW DoDM 5200.01 M Vol. 1-4. |
Media Storage |
MP-4 |
MP-4.4 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. |
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
| CCI-001019 |
The organization employs cryptographic mechanisms to protect information in storage. |
|
|
|
|
|
|
|
| CCI-001020 |
The organization protects and controls organization-defined types of information system media during transport outside of controlled areas using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the organization's records management policy or process to ensure appropriate protection of information according to its classification or designation during transport outside of controlled areas, IAW security measures defined in DoDM 5200.01 M Vol. 1-4 and DoDD 5015.2. |
The organization being inspected/assessed protects and controls information system media during transport outside of controlled areas using security measures defined in DoDM 5200.01 M Vol. 1-4 and DoDD 5015.2. |
Media Transport |
MP-5 |
MP-5.1 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001021 |
The organization defines types of information system media protected and controlled during transport outside of controlled areas. |
DoD has defined the types of information system media as all digital and non-digital media containing sensitive, controlled, and/or classified information.
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. |
DoD has defined the types of information system media as all digital and non-digital media containing sensitive, controlled, and/or classified information. |
Media Transport |
MP-5 |
MP-5.2 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001022 |
The organization defines security safeguards to be used to protect and control organization-defined types of information system media during transport outside of controlled areas. |
DoD has defined the security safeguards as DoDI 5200.1R and other organizationally defined security safeguards.
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. |
DoD has defined the security safeguards as DoDI 5200.1R and other organizationally defined security safeguards. |
Media Transport |
MP-5 |
MP-5.3 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001023 |
The organization maintains accountability for information system media during transport outside of controlled areas. |
The organization conducting the inspection/assessment obtains and examines the list of organization defined security measures (MP-2) to ensure method of accountability for information system media during transport outside of controlled areas has been identified. |
The organization being inspected/assessed ensures the organization defined security measures (MP-2) includes method of accountability for information system media during transport outside of controlled areas, IAW DoDM 5200.01 M Vol. 1-4 and DoDD 5015.2. |
Media Transport |
MP-5 |
MP-5.4 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001024 |
The organization restricts the activities associated with the transport of information system media to authorized personnel. |
The organization conducting the inspection/assessment obtains and examines the list of personnel authorized to transport information system media outside of controlled areas.
Organizational personnel with information system media transport responsibilities and security management personnel are to be interviewed. The purpose of the reviews and reviews is to determine if the organization has established restrictions associated with the transport of information system media to authorized personnel only. |
The organization being inspected/assessed ensures the organization defined security measures (MP-2) includes a requirement to develop and maintain a list of personnel authorized to transport information system media outside of controlled areas, IAW DoDM 5200.01 M Vol. 1-4 and DoDD 5015.2.
Develop and maintain the list of personnel authorized to transport information system media outside of controlled areas. |
Media Transport |
MP-5 |
MP-5.6 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001025 |
The organization documents activities associated with the transport of information system media. |
The organization conducting the inspection/assessment obtains and examines the documented activities to ensure the organization being inspected/assessed documents activities associated with the transport of information system media. |
The organization being inspected/assessed documents activities associated with the transport of information system media. |
Media Transport |
MP-5 |
MP-5.5 |
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. |
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| CCI-001026 |
The organization employs an identified custodian during transport of information system media outside of controlled areas. |
The organization conducting the inspection/assessment obtains and examines documentation identifying the custodian that is at all times responsible for the transport of the all information system media, from pick-up to final delivery and receipt acknowledgement. |
The organization being inspected/assessed identifies and documents a custodian that is at all times responsible for the transport of the all information system media, from pick-up to final delivery and receipt acknowledgement. |
Media Transport | Custodians |
MP-5 (3) |
MP-5(3).1 |
Identified custodians provide organizations with specific points of contact during the media transport process and facilitate individual accountability. Custodial responsibilities can be transferred from one individual to another as long as an unambiguous custodian is identified at all times. |
The organization employs an identified custodian during transport of information system media outside of controlled areas. |
| CCI-001027 |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. |
The organization conducting the inspection/assessment obtains and examines the Security Plan to ensure the organization being inspected has identified FIPS 140-2 or other NSA approved cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. |
The organization being inspected/assessed shall document within their Security Plan, and implement, FIPS 140-2 or other NSA approved cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. |
Media Transport | Cryptographic Protection |
MP-5 (4) |
MP-5(4).1 |
This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Related control: MP-2. |
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. |
| CCI-001028 |
The organization sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies. |
The organization conducting the inspection/assessment obtains and examines media sanitization records, audit records, any other relevant documents or records, and sanitization tools to ensure sanitization is in compliance with DoDM 5200.01 Vol. 1-4 and uses techniques and procedures IAW NIST SP 800-88.
The objective of the review is to verify the organization is sanitizing its digital and non-digital information system media prior to disposal, release for reuse, or release out of the organizational control.
DoD has defined the sanitization techniques as techniques and procedures IAW NIST SP 800-88.
DoD has defined the information system media as all media. |
The organization being inspected/assessed sanitizes all media prior to disposal, release out of organizational control, or release for reuse IAW DoDM 5200.01 Vol. 1-4 using techniques and procedures IAW NIST SP 800-88.
DoD has defined the sanitization techniques as techniques and procedures IAW NIST SP 800-88.
DoD has defined the information system media as all media. |
Media Sanitization |
MP-6 |
MP-6.1 |
This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal.
Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information. Related controls: MA-2, MA-4, RA-3, SC-4. |
The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. |
| CCI-001029 |
The organization tracks, documents, and verifies media sanitization and disposal actions. |
|
|
|
|
|
|
|
| CCI-001030 |
The organization tests sanitization equipment and procedures in accordance with the organization-defined frequency to verify that the intended sanitization is being achieved. |
The organization conducting the inspection/assessment obtains and examines documented test plans and evidence of past tests to ensure that tests are conducted every 180 days to verify correct performance of sanitization equipment and procedures.
DoD has defined the frequency as every 180 days. |
The organization being inspected/assessed shall document plans to implement their sanitization equipment and procedures every 180 days to verify correct performance.
DoD has defined the frequency as every 180 days. |
Media Sanitization | Equipment Testing |
MP-6 (2) |
MP-6(2).1 |
Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers). |
The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved. |
| CCI-001031 |
The organization defines a frequency for testing sanitization equipment and procedures to verify that the intended sanitization is being achieved. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 180 days. |
DoD has defined the frequency as every 180 days. |
Media Sanitization | Equipment Testing |
MP-6 (2) |
MP-6(2).2 |
Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers). |
The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved. |
| CCI-001032 |
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system in accordance with organization-defined circumstances requiring sanitization of portable storage devices. |
The organization conducting the inspection/assessment obtains and examines media sanitization records, audit records, and any other relevant documents or records.
The objective of the reviews is to confirm the organization is in compliance with the list of defined circumstances requiring the sanitization of portable storage devices prior to connecting such devices to the information system. |
The organization being inspected/assessed documents and implements plans to apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system when such devices are first purchased from the manufacturer or vendor prior to initial use, when being considered for reuse, or when the organization loses a positive chain of custody for the device. Media obtained from unknown sources shall not be sanitized and reused.
Portable storage devices include but are not limited to thumb drives, flash drives, and external storage devices.
DoD has defined the circumstances as when such devices are first purchased from the manufacturer or vendor prior to initial use, when being considered for reuse, or when the organization loses a positive chain of custody for the device. Media obtained from unknown sources shall not be sanitized and reused. |
Media Sanitization | Nondestructive Techniques |
MP-6 (3) |
MP-6(3).1 |
This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices. Related control: SI-3. |
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. |
| CCI-001033 |
The organization defines circumstances requiring sanitization of portable storage devices prior to connecting such devices to the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the circumstances as when such devices are first purchased from the manufacturer or vendor prior to initial use, when being considered for reuse, or when the organization loses a positive chain of custody for the device. Media obtained from unknown sources shall not be sanitized and reused. |
DoD has defined the list circumstances as when such devices are first purchased from the manufacturer or vendor prior to initial use, when being considered for reuse, or when the organization loses a positive chain of custody for the device. Media obtained from unknown sources shall not be sanitized and reused. |
Media Sanitization | Nondestructive Techniques |
MP-6 (3) |
MP-6(3).2 |
This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices. Related control: SI-3. |
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. |
| CCI-001034 |
The organization sanitizes information system media containing Controlled Unclassified Information (CUI) or other sensitive information in accordance with applicable organizational and/or federal standards and policies. |
|
|
|
|
|
|
|
| CCI-001035 |
The organization sanitizes information system media containing classified information in accordance with NSA standards and policies. |
|
|
|
|
|
|
|
| CCI-001036 |
The organization destroys information system media that cannot be sanitized. |
|
|
|
|
|
|
|
| CCI-001037 |
The organization develops and documents a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001038 |
The organization disseminates a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to organization-defined personnel or roles. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures and is disseminated via the NIST publications site: http://csrc.nist.gov/publications/PubsSPs.html
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001039 |
The organization reviews and updates the current risk assessment policy in accordance with organization-defined frequency. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001040 |
The organization defines the frequency with which to review and update the current risk assessment policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001041 |
The organization develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001042 |
The organization disseminates risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls to organization-defined personnel or roles. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures and is disseminated via the NIST publications site: http://csrc.nist.gov/publications/PubsSPs.html
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001043 |
The organization reviews and updates the current risk assessment procedures in accordance with organization-defined frequency. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
NIST SP 800-30 meets the DoD requirements for risk assessment policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001044 |
The organization defines the frequency with which to review and update the current risk assessment procedures. |
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy.
DoD has defined the frequency as annually - updated as appropriate. |
DoD Components are automatically compliant with this CCI because they are covered by the DoDi 8510.01 which adopts NIST SP 800-30 as the DoD risk assessment policy. |
Risk Assessment Policy And Procedures |
RA-1 |
RA-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency]. |
| CCI-001045 |
The organization categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed categorizes information and the information system in accordance with CNSSI 1253 and applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
The organization being inspected/assessed documents and implements a process to categorize information and the information system in accordance with CNSSI 1253 and applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
|
Security Categorization |
RA-2 |
RA-2.1 |
Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
| CCI-001046 |
The organization documents the security categorization results (including supporting rationale) in the security plan for the information system. |
The organization conducting the inspection/assessment obtains and examines the documented security categorization results to ensure the organization being inspected/assessed documents the security categorization results (including supporting rationale) in the security plan for the information system IAW CNSSI 1253. |
The organization being inspected/assessed documents the security categorization results (including supporting rationale) in the security plan for the information system IAW CNSSI 1253.
|
Security Categorization |
RA-2 |
RA-2.2 |
Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
| CCI-001047 |
The organization ensures the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
The organization being inspected/assessed documents and implements a process IAW CNSSI 1253 to ensure the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
Security Categorization |
RA-2 |
RA-2.3 |
Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. |
| CCI-001074 |
The organization develops a system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for developing a system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for developing a system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001075 |
The organization disseminates to organization-defined personnel or roles the system and communications protection policy. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for disseminating the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for disseminating the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001076 |
The organization reviews and updates the system and communications protection policy in accordance with organization-defined frequency. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for reviewing and updating the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for reviewing and updating the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001077 |
The organization defines the frequency for reviewing and updating the system and communications protection policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 5 years. |
DoD has defined the frequency as every 5 years. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001078 |
The organization develops system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for developing system and communications protection procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for developing system and communications protection procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001079 |
The organization disseminates to organization-defined personnel or roles the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for disseminating the procedures to facilitate the implementation of the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for disseminating the procedures to facilitate the implementation of the system and communications protection policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001080 |
The organization reviews and updates the system and communications protection procedures in accordance with organization-defined frequency. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for reviewing and updating the system and communications protection procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
DoDI 8523.01 "Communications Security (COMSEC)"meets the DoD requirement for reviewing and updating the system and communications protection procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8523.01. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001081 |
The organization defines the frequency of system and communications protection procedure reviews and updates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
System And Communications Protection Policy And Procedures |
SC-1 |
SC-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency]. |
| CCI-001082 |
The information system separates user functionality (including user interface services) from information system management functionality. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to separate user functionality (including user interface services) from information system management functionality.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1082. |
The organization being inspected/assessed configures the information system to separate user functionality (including user interface services) from information system management functionality.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1082. |
Application Partitioning |
SC-2 |
SC-2.1 |
Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3. |
The information system separates user functionality (including user interface services)from information system management functionality. |
| CCI-001083 |
The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent the presentation of information system management-related functionality at an interface for non-privileged users.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1083. |
The organization being inspected/assessed configures the information system to prevent the presentation of information system management-related functionality at an interface for non-privileged users.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1083. |
Application Partitioning | Interfaces For Non-Privileged Users |
SC-2 (1) |
SC-2(1).1 |
This control enhancement ensures that administration options (e.g., administrator privileges) are not available to general users (including prohibiting the use of the grey-out option commonly used to eliminate accessibility to such information). Such restrictions include, for example, not presenting administration options until users establish sessions with administrator privileges. Related control: AC-3. |
The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users. |
| CCI-001090 |
The information system prevents unauthorized and unintended information transfer via shared system resources. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent unauthorized and unintended information transfer via shared system resources.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1090. |
The organization being inspected/assessed configures the information system to prevent unauthorized and unintended information transfer via shared system resources.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1090. |
Information In Shared Resources |
SC-4 |
SC-4.1 |
This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles. Related controls: AC-3, AC-4, MP-6. |
The information system prevents unauthorized and unintended information transfer via shared system resources. |
| CCI-001091 |
The information system does not share resources that are used to interface with systems operating at different security levels. |
|
|
|
|
|
|
|
| CCI-001092 |
The information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks. |
|
|
|
|
|
|
|
| CCI-001093 |
The organization defines the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented types of denial of service attacks to ensure the organization being inspected/assessed defines the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system.
DoD has determined the types of denial of service attacks are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system.
DoD has determined the types of denial of service attacks are not appropriate to define at the Enterprise level. |
Denial Of Service Protection |
SC-5 |
SC-5.1 |
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7. |
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. |
| CCI-001094 |
The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to restrict the ability of individuals to launch denial of service attacks defined in SC-5 (1), CCI 2387 against other information systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1094. |
The organization being inspected/assessed configures the information system to restrict the ability of individuals to launch denial of service attacks defined in SC-5 (1), CCI 2387 against other information systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1094. |
Denial Of Service Protection | Restrict Internal Users |
SC-5 (1) |
SC-5(1).1 |
Restricting the ability of individuals to launch denial of service attacks requires that the mechanisms used for such attacks are unavailable. Individuals of concern can include, for example, hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyber attacks on third parties. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., network, wireless spectrum). Organizations can also limit the ability of individuals to use excessive information system resources. Protection against individuals having the ability to launch denial of service attacks may be implemented on specific information systems or on boundary devices prohibiting egress to potential target systems. |
The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems. |
| CCI-001095 |
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1095. |
The organization being inspected/assessed configures the information system to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1095. |
Denial Of Service Protection | Excess Capacity / Bandwidth / Redundancy |
SC-5 (2) |
SC-5(2).1 |
Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. |
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks. |
| CCI-001096 |
The information system limits the use of resources by priority. |
|
|
|
|
|
|
|
| CCI-001127 |
The information system protects the integrity of transmitted information. |
|
|
|
|
|
|
|
| CCI-001128 |
The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures. |
|
|
|
|
|
|
|
| CCI-001129 |
The information system maintains the integrity of information during aggregation, packaging, and transformation in preparation for transmission. |
|
|
|
|
|
|
|
| CCI-001130 |
The information system protects the confidentiality of transmitted information. |
|
|
|
|
|
|
|
| CCI-001131 |
The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. |
|
|
|
|
|
|
|
| CCI-001132 |
The information system maintains the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. |
|
|
|
|
|
|
|
| CCI-001133 |
The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to terminate the network connection associated with a communications session at the end of the session or after 10 minutes in band management and 15 minutes for user sessions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1133.
DoD has defined the time period as 10 minutes in band management and 15 minutes for user sessions. |
The organization being inspected/assessed configures the information system to terminate the network connection associated with a communications session at the end of the session or after 10 minutes in band management and 15 minutes for user sessions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1133.
DoD has defined the time period as 10 minutes in band management and 15 minutes for user sessions. |
Network Disconnect |
SC-10 |
SC-10.1 |
This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. |
The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. |
| CCI-001134 |
The organization defines the time period of inactivity after which the information system terminates a network connection associated with a communications session. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 10 minutes in band management and 15 minutes for user sessions. |
DoD has defined the time period as 10 minutes in band management and 15 minutes for user sessions. |
Network Disconnect |
SC-10 |
SC-10.2 |
This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. |
The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. |
| CCI-001137 |
The organization establishes cryptographic keys for required cryptography employed within the information system. |
|
|
|
|
|
|
|
| CCI-001138 |
The organization manages cryptographic keys for required cryptography employed within the information system. |
|
|
|
|
|
|
|
| CCI-001139 |
The organization maintains availability of information in the event of the loss of cryptographic keys by users. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed maintains availability of information in the event of the loss of cryptographic keys by users. |
The organization being inspected/assessed documents and implements a process to maintain availability of information in the event of the loss of cryptographic keys by users. |
Cryptographic Key Establishment And Management | Availability |
SC-12 (1) |
SC-12(1).1 |
Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase). |
The organization maintains availability of information in the event of the loss of cryptographic keys by users. |
| CCI-001140 |
The organization produces, controls, and distributes symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes. |
|
|
|
|
|
|
|
| CCI-001141 |
The organization produces, controls, and distributes symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes. |
|
|
|
|
|
|
|
| CCI-001142 |
The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material. |
|
|
|
|
|
|
|
| CCI-001143 |
The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. |
|
|
|
|
|
|
|
| CCI-001144 |
The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
|
|
|
|
|
|
|
| CCI-001145 |
The organization employs, at a minimum, FIPS-validated cryptography to protect unclassified information. |
|
|
|
|
|
|
|
| CCI-001146 |
The organization employs NSA-approved cryptography to protect classified information. |
|
|
|
|
|
|
|
| CCI-001147 |
The organization employs, at a minimum, FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals. |
|
|
|
|
|
|
|
| CCI-001149 |
The information system protects the integrity and availability of publicly available information and applications. |
|
|
|
|
|
|
|
| CCI-001150 |
The information system prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit remote activation of collaborative computing devices excluding dedicated VTC suites located in approved VTC locations that are centrally managed.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1150.
DoD has defined the exceptions as dedicated VTC suites located in approved VTC locations that are centrally managed. |
The organization being inspected/assessed configures the information system to prohibit remote activation of collaborative computing devices excluding dedicated VTC suites located in approved VTC locations that are centrally managed.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1150.
DoD has defined the exceptions as dedicated VTC suites located in approved VTC locations that are centrally managed. |
Collaborative Computing Devices |
SC-15 |
SC-15.1 |
Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21. |
The information system:
a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
b. Provides an explicit indication of use to users physically present at the devices. |
| CCI-001151 |
The organization defines exceptions to the prohibition of collaborative computing devices where remote activation is to be allowed. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the exceptions as dedicated VTC suites located in approved VTC locations that are centrally managed. |
DoD has defined the exceptions as dedicated VTC suites located in approved VTC locations that are centrally managed. |
Collaborative Computing Devices |
SC-15 |
SC-15.2 |
Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21. |
The information system:
a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
b. Provides an explicit indication of use to users physically present at the devices. |
| CCI-001152 |
The information system provides an explicit indication of use to users physically present at collaborative computing devices. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide an explicit indication of use to users physically present at collaborative computing devices.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1152. |
The organization being inspected/assessed configures the information system to provide an explicit indication of use to users physically present at collaborative computing devices.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1152. |
Collaborative Computing Devices |
SC-15 |
SC-15.3 |
Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21. |
The information system:
a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
b. Provides an explicit indication of use to users physically present at the devices. |
| CCI-001153 |
The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed provides a means of physical disconnect of collaborative computing devices in a manner that supports ease of use.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1153. |
The organization being inspected/assessed provides a means of physical disconnect of collaborative computing devices in a manner that supports ease of use.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1153. |
Collaborative Computing Devices | Physical Disconnect |
SC-15 (1) |
SC-15(1).1 |
Failing to physically disconnect from collaborative computing devices can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants actually carry out the disconnect activity without having to go through complex and tedious procedures. |
The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use. |
| CCI-001154 |
The information system or supporting environment blocks both inbound and outbound traffic between instant messaging clients that are independently configured by end users and external service providers. |
|
|
|
|
|
|
|
| CCI-001155 |
The organization disables or removes collaborative computing devices from organization-defined information systems or information system components in organization-defined secure work areas. |
The organization conducting the inspection/assessment obtains and examines the organization defined secure work area to ensure that any device that may incorporate camera, microphone, or smart board capability has been disabled or removed.
DoD has defined information systems or information system components as any device used that may incorporate camera, microphone, or smart board capability. |
The organization being inspected/assessed implements a process to disable or remove any device used that may incorporate camera, microphone, or smart board capability in secure work areas defined in SC-15 (3), CCI 1156.
DoD has defined information systems or information system components as any device used that may incorporate camera, microphone, or smart board capability. |
Collaborative Computing Devices | Disabling / Removal In Secure Work Areas |
SC-15 (3) |
SC-15(3).1 |
Failing to disable or remove collaborative computing devices from information systems or information system components can result in subsequent compromises of organizational information including, for example, eavesdropping on conversations. |
The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas]. |
| CCI-001156 |
The organization defines secure work areas where collaborative computing devices are to be disabled or removed. |
The organization conducting the inspection/assessment obtains and examines the documented secure work areas to ensure the organization being inspected/assessed defines secure work areas where collaborative computing devices are to be disabled or removed.
DoD has determined the secure work areas are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents secure work areas where collaborative computing devices are to be disabled or removed.
DoD has determined the secure work areas are not appropriate to define at the Enterprise level. |
Collaborative Computing Devices | Disabling / Removal In Secure Work Areas |
SC-15 (3) |
SC-15(3).2 |
Failing to disable or remove collaborative computing devices from information systems or information system components can result in subsequent compromises of organizational information including, for example, eavesdropping on conversations. |
The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas]. |
| CCI-001157 |
The information system associates organization-defined security attributes with information exchanged between information systems. |
The organization conducting the inspection/assessment examines the information system to ensure it associates security attributes defined in SC-16, CCI 2454 with information exchanged between information systems. |
The organization being inspected/assessed implements association of security attributes defined in SC-16, CCI 2454 with information exchanged between information systems. |
Transmission Of Security Attributes |
SC-16 |
SC-16.1 |
Security attributes can be explicitly or implicitly associated with the information contained in organizational information systems or system components. Related controls: AC-3, AC-4, AC-16. |
The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.
|
| CCI-001158 |
The information system validates the integrity of transmitted security attributes. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to validate the integrity of transmitted security attributes.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1158. |
The organization being inspected/assessed configures the information system to validate the integrity of transmitted security attributes.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1158. |
Transmission Of Security Attributes | Integrity Validation |
SC-16 (1) |
SC-16(1).1 |
This control enhancement ensures that the verification of the integrity of transmitted information includes security attributes. Related controls: AU-10, SC-8. |
The information system validates the integrity of transmitted security attributes.
|
| CCI-001159 |
The organization issues public key certificates under an organization-defined certificate policy or obtains public key certificates from an approved service provider. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to issue public key certificates under DoDI 8520.02, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling" or obtains public key certificates from an approved service provider.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1159.
DoD has defined the certificate policy as DoDI 8520.02, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling." |
The organization being inspected/assessed configures the information system to issue public key certificates under DoDI 8520.02, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling" or obtains public key certificates from an approved service provider.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1159.
DoD has defined the certificate policy as DoDI 8520.02, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling." |
Public Key Infrastructure Certificates |
SC-17 |
SC-17.1 |
For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services. Related control: SC-12. |
The organization issues public key certificates under an [Assignment: organization defined certificate policy] or obtains public key certificates from an approved service provider. |
| CCI-001180 |
The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. |
|
|
|
|
|
|
|
| CCI-001181 |
The information system performs data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service. |
|
|
|
|
|
|
|
| CCI-001194 |
The information system employs organization-defined information system components with minimal functionality and information storage. |
The organization conducting the inspection/assessment obtains and examines the hardware list to ensure the organization being inspected/assessed employs information system components defined in SC-25, CCI 2471 with minimal functionality and information storage. |
The organization being inspected/assessed employs information system components defined in SC-25, CCI 2471 with minimal functionality and information storage. |
Thin Nodes |
SC-25 |
SC-25.1 |
The deployment of information system components with reduced/minimal functionality (e.g., diskless nodes and thin client technologies) reduces the need to secure every user endpoint, and may reduce the exposure of information, information systems, and services to cyber attacks. Related control: SC-30. |
The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage. |
| CCI-001195 |
The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. |
The organization conducting the inspection/assessment obtains and examines the network topology diagrams, architecture documentation, or any other documentation identifying decoy components to be attacked to ensure the organization being inspected/assessed includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. |
The organization being inspected/assessed designs the information system to include decoy components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. |
Honeypots |
SC-26 |
SC-26.1 |
A honeypot is set up as a decoy to attract adversaries and to deflect their attacks away from the operational systems supporting organizational missions/business function. Depending upon the specific usage of the honeypot, consultation with the Office of the General Counsel before deployment may be needed. Related controls: SC-30, SC-44, SI-3, SI-4. |
The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. |
| CCI-001196 |
The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code. |
The organization conducting the inspection/assessment obtains and examines the software list to ensure the organization being inspected/assessed includes components in the information system that proactively seek to identify malicious websites and/or web-based malicious code. |
The organization being inspected/assessed includes components in the information system that proactively seek to identify malicious websites and/or web-based malicious code. |
Honeyclients |
SC-35 |
SC-35.1 |
Honeyclients differ from honeypots in that the components actively probe the Internet in search of malicious code (e.g., worms) contained on external websites. As with honeypots, honeyclients require some supporting isolation measures (e.g., virtualization) to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational information systems. Related controls: SC-26, SC-44, SI-3, SI-4. |
The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code. |
| CCI-001197 |
The information system includes organization-defined platform-independent applications. |
The organization conducting the inspection/assessment obtains and examines the software list to ensure the organization being inspected/assessed includes platform-independent applications defined in SC-27, CCI 1198. |
The organization being inspected/assessed includes platform-independent applications defined in SC-27, CCI 1198. |
Platform-Independent Applications |
SC-27 |
SC-27.1 |
Platforms are combinations of hardware and software used to run software applications. Platforms include: (i) operating systems; (ii) the underlying computer architectures, or (iii) both. Platform-independent applications are applications that run on multiple platforms. Such applications promote portability and reconstitution on different platforms, increasing the availability of critical functions within organizations while information systems with specific operating systems are under attack. Related control: SC-29. |
The information system includes: [Assignment: organization-defined platform-independent applications]. |
| CCI-001198 |
The organization defines applications that are platform independent. |
The organization conducting the inspection/assessment obtains and examines the documented applications to ensure the organization being inspected/assessed defines applications that are platform independent.
DoD has determined the applications are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents applications that are platform independent.
DoD has determined the applications are not appropriate to define at the Enterprise level. |
Platform-Independent Applications |
SC-27 |
SC-27.2 |
Platforms are combinations of hardware and software used to run software applications. Platforms include: (i) operating systems; (ii) the underlying computer architectures, or (iii) both. Platform-independent applications are applications that run on multiple platforms. Such applications promote portability and reconstitution on different platforms, increasing the availability of critical functions within organizations while information systems with specific operating systems are under attack. Related control: SC-29. |
The information system includes: [Assignment: organization-defined platform-independent applications]. |
| CCI-001201 |
The organization employs a diverse set of information technologies for organization-defined information system components in the implementation of the information system. |
The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed employs a diverse set of information technologies for information system components defined in SC-29, CCI 2480 in the implementation of the information system. |
The organization being inspected/assessed designs the information system to employ a diverse set of information technologies for information system components defined in SC-29, CCI 2480 in the implementation of the information system. |
Heterogeneity |
SC-29 |
SC-29.1 |
Increasing the diversity of information technologies within organizational information systems reduces the impact of potential exploitations of specific technologies and also defends against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one information system component will be equally effective against other system components, thus further increasing the adversary work factor to successfully complete planned cyber attacks. An increase in diversity may add complexity and management overhead which could ultimately lead to mistakes and unauthorized configurations. Related controls: SA-12, SA-14, SC-27. |
The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system. |
| CCI-001202 |
The organization employs virtualization techniques to present information system components as other types of components, or components with differing configurations. |
|
|
|
|
|
|
|
| CCI-001203 |
The organization employs virtualization techniques to support the deployment of a diversity of operating systems that are changed on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the hardware and software lists to ensure the organization being inspected/assessed employs virtualization techniques to support the deployment of a diversity of operating systems that are changed on the frequency defined in SC-29 (1), CCI 1204. |
The organization being inspected/assessed designs the information system to employ virtualization techniques to support the deployment of a diversity of operating systems that are changed on the frequency defined in SC-29 (1), CCI 1204. |
Heterogeneity | Virtualization Techniques |
SC-29 (1) |
SC-29(1).1 |
While frequent changes to operating systems and applications pose configuration management challenges, the changes can result in an increased work factor for adversaries in order to carry out successful cyber attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems/applications, provide virtual changes that impede attacker success while reducing configuration management efforts. In addition, virtualization techniques can assist organizations in isolating untrustworthy software and/or software of dubious provenance into confined execution environments. |
The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. |
| CCI-001204 |
The organization defines the frequency of changes to operating systems and applications to support a diversity of deployments. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency of changes to operating systems and applications to support a diversity of deployments.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency of changes to operating systems and applications to support a diversity of deployments.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Heterogeneity | Virtualization Techniques |
SC-29 (1) |
SC-29(1).2 |
While frequent changes to operating systems and applications pose configuration management challenges, the changes can result in an increased work factor for adversaries in order to carry out successful cyber attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems/applications, provide virtual changes that impede attacker success while reducing configuration management efforts. In addition, virtualization techniques can assist organizations in isolating untrustworthy software and/or software of dubious provenance into confined execution environments. |
The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. |
| CCI-001205 |
The organization employs randomness in the implementation of the virtualization techniques. |
|
|
|
|
|
|
|
| CCI-001206 |
The organization requires that information system developers/integrators perform a covert channel analysis to identify those aspects of system communication that are potential avenues for covert storage and timing channels. |
|
|
|
|
|
|
|
| CCI-001207 |
The organization tests a subset of the identified covert channels to determine which channels are exploitable. |
The organization conducting the inspection/assessment obtains and examines the test results to ensure the organization being inspected/assessed tests a subset of the identified covert channels to determine which channels are exploitable. |
The organization being inspected/assessed tests a subset of the identified covert channels to determine which channels are exploitable.
The organization must maintain an audit trail of testing. |
Covert Channel Analysis | Test Covert Channels For Exploitability |
SC-31 (1) |
SC-31(1).1 |
|
The organization tests a subset of the identified covert channels to determine which channels are exploitable. |
| CCI-001208 |
The organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary. |
|
|
|
|
|
|
|
| CCI-001209 |
The information system protects the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. |
|
|
|
|
|
|
|
| CCI-001210 |
The information system, at organization-defined information system components, loads and executes the operating environment from hardware-enforced, read-only media. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to load and execute the operating environment from hardware-enforced, read-only media at information system components defined in SC-34, CCI 1212.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1210. |
The organization being inspected/assessed configures the information system to load and execute the operating environment from hardware-enforced, read-only media at information system components defined in SC-34, CCI 1212.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1210. |
Non-Modifiable Executable Programs |
SC-34 |
SC-34.2 |
The term operating environment is defined as the specific code that hosts applications, for example, operating systems, executives, or monitors including virtual machine monitors (i.e., hypervisors). It can also include certain applications running directly on hardware platforms. Hardware-enforced, read-only media include, for example, Compact Disk-Recordable (CD-R)/Digital Video Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable read-only memory can be accepted as read-only media provided: (i) integrity can be adequately protected from the point of initial writing to the insertion of the memory into the information system; and (ii) there are reliable hardware protections against reprogramming the memory while installed in organizational information systems. Related controls: AC-3, SI-7. |
The information system at [Assignment: organization-defined information system components]:
a. Loads and executes the operating environment from hardware-enforced, read-only media; and
b. Loads and executes [Assignment: organization-defined applications] from hardware enforced, read-only media. |
| CCI-001211 |
The information system, at organization-defined information system components, loads and executes organization-defined applications from hardware-enforced, read-only media. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to load and execute applications defined in SC-34, CCI 1213 from hardware-enforced, read-only media at information system components defined in SC-34, CCI 1212.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1211. |
The organization being inspected/assessed configures the information system to load and execute applications defined in SC-34, CCI 1213 from hardware-enforced, read-only media at information system components defined in SC-34, CCI 1212.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1211. |
Non-Modifiable Executable Programs |
SC-34 |
SC-34.3 |
The term operating environment is defined as the specific code that hosts applications, for example, operating systems, executives, or monitors including virtual machine monitors (i.e., hypervisors). It can also include certain applications running directly on hardware platforms. Hardware-enforced, read-only media include, for example, Compact Disk-Recordable (CD-R)/Digital Video Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable read-only memory can be accepted as read-only media provided: (i) integrity can be adequately protected from the point of initial writing to the insertion of the memory into the information system; and (ii) there are reliable hardware protections against reprogramming the memory while installed in organizational information systems. Related controls: AC-3, SI-7. |
The information system at [Assignment: organization-defined information system components]:
a. Loads and executes the operating environment from hardware-enforced, read-only media; and
b. Loads and executes [Assignment: organization-defined applications] from hardware enforced, read-only media. |
| CCI-001212 |
The organization defines information system components on which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines information system components for which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information system components for which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Non-Modifiable Executable Programs |
SC-34 |
SC-34.1 |
The term operating environment is defined as the specific code that hosts applications, for example, operating systems, executives, or monitors including virtual machine monitors (i.e., hypervisors). It can also include certain applications running directly on hardware platforms. Hardware-enforced, read-only media include, for example, Compact Disk-Recordable (CD-R)/Digital Video Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable read-only memory can be accepted as read-only media provided: (i) integrity can be adequately protected from the point of initial writing to the insertion of the memory into the information system; and (ii) there are reliable hardware protections against reprogramming the memory while installed in organizational information systems. Related controls: AC-3, SI-7. |
The information system at [Assignment: organization-defined information system components]:
a. Loads and executes the operating environment from hardware-enforced, read-only media; and
b. Loads and executes [Assignment: organization-defined applications] from hardware enforced, read-only media. |
| CCI-001213 |
The organization defines applications that will be loaded and executed from hardware-enforced, read-only media. |
The organization conducting the inspection/assessment obtains and examines the documented applications to ensure the organization being inspected/assessed defines applications that will be loaded and executed from hardware-enforced, read-only media.
DoD has determined the applications are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents applications that will be loaded and executed from hardware-enforced, read-only media.
DoD has determined the applications are not appropriate to define at the Enterprise level. |
Non-Modifiable Executable Programs |
SC-34 |
SC-34.4 |
The term operating environment is defined as the specific code that hosts applications, for example, operating systems, executives, or monitors including virtual machine monitors (i.e., hypervisors). It can also include certain applications running directly on hardware platforms. Hardware-enforced, read-only media include, for example, Compact Disk-Recordable (CD-R)/Digital Video Disk-Recordable (DVD-R) disk drives and one-time programmable read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable read-only memory can be accepted as read-only media provided: (i) integrity can be adequately protected from the point of initial writing to the insertion of the memory into the information system; and (ii) there are reliable hardware protections against reprogramming the memory while installed in organizational information systems. Related controls: AC-3, SI-7. |
The information system at [Assignment: organization-defined information system components]:
a. Loads and executes the operating environment from hardware-enforced, read-only media; and
b. Loads and executes [Assignment: organization-defined applications] from hardware enforced, read-only media. |
| CCI-001214 |
The organization employs organization-defined information system components with no writeable storage that are persistent across component restart or power on/off. |
The organization conducting the inspection/assessment obtains and examines the hardware list to ensure the organization being inspected/assessed employs information system components defined in SC-34 (1), CCI 1215 with no writeable storage that are persistent across component restart or power on/off. |
The organization being inspected/assessed designs the information system to employ information system components defined in SC-34 (1), CCI 1215 with no writeable storage that are persistent across component restart or power on/off. |
Non-Modifiable Executable Programs | No Writable Storage |
SC-34 (1) |
SC-34(1).1 |
This control enhancement: (i) eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated information system components; and (ii) applies to both fixed and removable storage, with the latter being addressed directly or as specific restrictions imposed through access controls for mobile devices. Related controls: AC-19, MP-7. |
The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off. |
| CCI-001215 |
The organization defines the information system components to be employed with no writeable storage. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components to be employed with no writeable storage.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components to be employed with no writeable storage.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Non-Modifiable Executable Programs | No Writable Storage |
SC-34 (1) |
SC-34(1).2 |
This control enhancement: (i) eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated information system components; and (ii) applies to both fixed and removable storage, with the latter being addressed directly or as specific restrictions imposed through access controls for mobile devices. Related controls: AC-19, MP-7. |
The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off. |
| CCI-001216 |
The organization protects the integrity of information prior to storage on read-only media. |
The organization conducting the inspection/assessment obtains and examines the documented mechanisms to ensure the organization being inspected/assessed protects the integrity of the information prior to storage on read-only media. |
The organization being inspected/assessed documents and implements mechanisms to protect the integrity of the information prior to storage on read-only media. |
Non-Modifiable Executable Programs | Integrity Protection / Read-Only Media |
SC-34 (2) |
SC-34(2).1 |
Security safeguards prevent the substitution of media into information systems or the reprogramming of programmable read-only media prior to installation into the systems. Security safeguards include, for example, a combination of prevention, detection, and response. Related controls: AC-5, CM-3, CM-5, CM-9, MP-2, MP-4, MP-5, SA-12, SC-28, SI-3. |
The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media. |
| CCI-001217 |
The organization develops and documents a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001218 |
The organization disseminates the system and information integrity policy to organization-defined personnel or roles. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
DoD disseminates DoDI 8510.01 via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) that meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001219 |
The organization reviews and updates system and information integrity policy in accordance with organization-defined frequency. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001220 |
The organization develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001221 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
DoD disseminates DoDI 8510.01 via the DoD Issuances website (http://www.dtic.mil/whs/directives/corres/dir.html) that meets the DoD requirement for a system and information integrity policy.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001222 |
The organization reviews and updates system and information integrity procedures in accordance with organization-defined frequency. |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
Documenting and implementing the Risk Management Framework (RMF) for DoD IT (DoDI 8510.01) meets the DoD requirement for a system and information integrity procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, Risk Management Framework (RMF) for DoD IT (DoDI 8510.01). |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001223 |
The organization defines the frequency of system and information integrity policy reviews and updates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10. |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001224 |
The organization defines the frequency of system and information integrity procedure reviews and updates. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
System And Information Integrity Policy And Procedures |
SI-1 |
SI-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency]. |
| CCI-001285 |
The organization receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis. |
The organization conducting the inspection/assessment obtains and examines alerts, advisories, and directives received by the organization being inspected/assessed to ensure they receive information system security alerts, advisories, and directives from at a minimum, USCYBERCOM on an ongoing basis.
DoD has defined the external organizations as at a minimum, USCYBERCOM. |
The organization being inspected/assessed receives information system security alerts, advisories, and directives from at a minimum, USCYBERCOM on an ongoing basis.
DoD has defined the external organizations as at a minimum, USCYBERCOM. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.1 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-001286 |
The organization generates internal security alerts, advisories, and directives as deemed necessary. |
The organization conducting the inspection/assessment obtains and examines documented process as well as the generated internal security alerts, advisories, and directives to ensure the organization being inspected/assessed generates internal security alerts, advisories, and directives as deemed necessary. |
The organization being inspected/assessed documents and implements a process to generate internal security alerts, advisories, and directives as deemed necessary. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.3 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-001287 |
The organization disseminates security alerts, advisories, and directives to organization-defined personnel or roles, organization-defined elements within the organization, and/or organization-defined external organizations. |
The organization conducting the inspection/assessment obtains and examines any applicable artifacts showing dissemination of security alerts, advisories, and directives to ensure the organization being inspected/assessed disseminates security alerts, advisories, and directives to the ISSO and ISSM and/or external organizations defined in SI-5, CCI 2694.
DoD has defined the personnel or roles as the ISSO and ISSM. |
The organization being inspected/assessed disseminates security alerts, advisories, and directives to the ISSO and ISSM and/or external organizations defined in SI-5, CCI 2694.
DoD has defined the personnel or roles as the ISSO and ISSM. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.4 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-001288 |
The organization defines the personnel or roles to whom the organization will disseminate security alerts, advisories, and directives. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSO and ISSM. |
DoD has defined the personnel or roles as the ISSO and ISSM. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.5 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-001289 |
The organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
The organization conducting the inspection/assessment examines the information system and obtains and examines records of compliance and/or non-compliance reporting to ensure that security directives have been implemented in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
The organization being inspected/assessed implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
Security Alerts, Advisories, And Directives |
SI-5 |
SI-5.8 |
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. |
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel (identified by name and/or by role)];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| CCI-001290 |
The organization employs automated mechanisms to make security alert and advisory information available throughout the organization. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure the organization being inspected/assessed employs automated mechanisms to make security alert and advisory information available throughout the organization.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and implements automated mechanisms to make security alert and advisory information available throughout the organization. |
Security Alerts, Advisories, And Directives | Automated Alerts And Advisories |
SI-5 (1) |
SI-5(1).1 |
The significant number of changes to organizational information systems and the environments in which those systems operate requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on the information provided by the security alerts and advisories, changes may be required at one or more of the three tiers related to the management of information security risk including the governance level, mission/business process/enterprise architecture level, and the information system level. |
The organization employs automated mechanisms to make security alert and advisory information available throughout the organization. |
| CCI-001297 |
The information system detects unauthorized changes to software and information. |
|
|
|
|
|
|
|
| CCI-001298 |
The organization reassesses the integrity of software and information by performing, on an organization-defined frequency, integrity scans of the information system. |
|
|
|
|
|
|
|
| CCI-001299 |
The organization defines the frequency of integrity scans to be performed on the information system. |
|
|
|
|
|
|
|
| CCI-001300 |
The organization employs automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated tools to ensure the organization being inspected/assessed employs automated tools that provide notification to at a minimum, the ISSO and ISSM upon discovering discrepancies during integrity verification.
The organization being inspected/assessed may be required to demonstrate use of their identified automated tools.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
The organization being inspected/assessed documents and implements automated tools that provide notification to at a minimum, the ISSO and ISSM upon discovering discrepancies during integrity verification.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations |
SI-7 (2) |
SI-7(2).1 |
The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers. |
The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification. |
| CCI-001301 |
The organization employs centrally managed integrity verification tools. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified centrally managed integrity verification tools to ensure the organization being inspected/assessed employs centrally managed integrity verification tools.
The organization being inspected/assessed may be required to demonstrate use of their identified integrity verification tools. |
The organization being inspected/assessed documents and implements centrally managed integrity verification tools. |
Software, Firmware, And Information Integrity | Centrally-Managed Integrity Tools |
SI-7 (3) |
SI-7(3).1 |
Related controls: AU-3, SI-2, SI-8. |
The organization employs centrally managed integrity verification tools. |
| CCI-001302 |
The organization requires use of tamper-evident packaging for organization-defined information system components during organization-defined conditions. |
|
|
|
|
|
|
|
| CCI-001303 |
The organization defines information system components that require tamper-evident packaging. |
|
|
|
|
|
|
|
| CCI-001304 |
The organization defines conditions (i.e., transportation from vendor to operational site, during operation, both) under which tamper-evident packaging must be used for organization-defined information system components. |
|
|
|
|
|
|
|
| CCI-001309 |
The organization restricts the capability to input information to the information system to authorized personnel. |
|
|
|
|
|
|
|
| CCI-001310 |
The information system checks the validity of organization-defined inputs. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to check the validity of all inputs except those identified specifically by the organization.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1310.
DoD has defined the information inputs as all inputs except those identified specifically by the organization. |
The organization being inspected/assessed configures the information system to check the validity of all inputs except those identified specifically by the organization.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1310.
DoD has defined the information inputs as all inputs except those identified specifically by the organization. |
Information Input Validation |
SI-10 |
SI-10.1 |
Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks. |
The information system checks the validity of [Assignment: organization-defined information inputs]. |
| CCI-001311 |
The information system identifies potentially security-relevant error conditions. |
|
|
|
|
|
|
|
| CCI-001312 |
The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1312. |
The organization being inspected/assessed configures the information system to generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1312. |
Error Handling |
SI-11 |
SI-11.1 |
Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information. Related controls: AU-2, AU-3, SC-31. |
The information system:
a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
b. Reveals error messages only to [Assignment: organization-defined personnel or roles]. |
| CCI-001313 |
The organization defines sensitive or potentially harmful information that should not be contained in error logs and administrative messages. |
|
|
|
|
|
|
|
| CCI-001314 |
The information system reveals error messages only to organization-defined personnel or roles. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to reveal error messages only to the ISSO, ISSM, and SCA.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1314.
DoD has defined the personnel or roles as the ISSO, ISSM, and SCA. |
The organization being inspected/assessed configures the information system to reveal error messages only to the ISSO, ISSM, and SCA.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1314.
DoD has defined the personnel or roles as the ISSO, ISSM, and SCA. |
Error Handling |
SI-11 |
SI-11.2 |
Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information. Related controls: AU-2, AU-3, SC-31. |
The information system:
a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
b. Reveals error messages only to [Assignment: organization-defined personnel or roles]. |
| CCI-001462 |
The information system provides the capability for authorized users to capture/record and log content related to a user session. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for authorized users to capture/record and log content related to a user session.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1462. |
The organization being inspected/assessed configures the information system to provide the capability for authorized users to capture/record and log content related to a user session.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1462. |
Session Audit | Capture/Record And Log Content |
AU-14 (2) |
AU-14(2).1 |
|
The information system provides the capability for authorized users to capture/record and log content related to a user session. |
| CCI-001463 |
The information system provides the capability to remotely view/hear all content related to an established user session in real time. |
|
|
|
|
|
|
|
| CCI-001464 |
The information system initiates session audits at system start-up. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to initiate session audits at system start-up.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1464. |
The organization being inspected/assessed configures the information system to initiate session audits at system start-up.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1464. |
Session Audit | System Start-Up |
AU-14 (1) |
AU-14(1).1 |
|
The information system initiates session audits at system start-up. |
| CCI-001473 |
The organization designates individuals authorized to post information onto a publicly accessible information system. |
The organization conducting the inspection/assessment obtains and examines the list of individuals to ensure the organization being inspected/assessed designates individuals authorized to post information onto a publicly accessible information system. |
The organization being inspected/assessed identifies and documents individuals authorized to post information onto a publicly accessible information system. |
Publicly Accessible Content |
AC-22 |
AC-22.1 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001474 |
The organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of the training conducted to ensure the organization being inspected/assessed trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information. |
The organization being inspected/assessed documents and implements a process to train authorized individuals to ensure that publicly accessible information does not contain nonpublic information.
The organization must maintain an audit trail of the training conducted. |
Publicly Accessible Content |
AC-22 |
AC-22.2 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001475 |
The organization reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included. |
The organization conducting the inspection/assessment obtains and examines |
The organization being inspected/assessed |
Publicly Accessible Content |
AC-22 |
AC-22.3 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001476 |
The organization reviews the content on the publicly accessible information system for nonpublic information on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reviews to ensure the organization being inspected/assessed reviews the content on the publicly accessible information system for nonpublic information on an organization-defined frequency. |
The organization being inspected/assessed documents and implements a process to review the content on the publicly accessible information system for nonpublic information on an organization-defined frequency.
The organization must maintain an audit trail of reviews. |
Publicly Accessible Content |
AC-22 |
AC-22.4 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001477 |
The organization defines a frequency for reviewing the content on the publicly accessible information system for nonpublic information. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 90 days or as new information is posted. |
DoD has defined the frequency as every 90 days or as new information is posted. |
Publicly Accessible Content |
AC-22 |
AC-22.5 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001478 |
The organization removes nonpublic information from the publicly accessible information system, if discovered. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed removes nonpublic information from the publicly accessible information system, if discovered. |
The organization being inspected/assessed documents and implements a process to remove nonpublic information from the publicly accessible information system, if discovered. |
Publicly Accessible Content |
AC-22 |
AC-22.6 |
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. |
| CCI-001504 |
The organization develops and documents a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001505 |
The organization disseminates a personnel security policy to organization-defined personnel or roles. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD disseminates DoD 5200.2-R via the DoD Issuance site: http://www.dtic.mil/whs/directives/corres/pub1.html to meet the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001506 |
The organization reviews and updates the current personnel security policy in accordance with organization-defined frequency. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.7 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001507 |
The organization defines the frequency with which to review and update the current personnel security policy. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
DoD has defined the frequency as reviewed annually - updated as appropriate but at least within 10 years of date of issuance. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.8 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001508 |
The organization defines the frequency with which to review and update the current personnel security procedures. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually - updated as appropriate. |
DoD has defined the frequency as reviewed annually - updated as appropriate. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.10 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001509 |
The organization develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001510 |
The organization disseminates personnel security procedures to organization-defined personnel or roles. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD disseminates DoD 5200.2-R via the DoD Issuance site: http://www.dtic.mil/whs/directives/corres/pub1.html to meet the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.5 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001511 |
The organization reviews and updates the current personnel security procedures in accordance with organization-defined frequency. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
DoD 5200.2-R meets the DoD requirements for personnel security policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD 5200.2-R. |
Personnel Security Policy And Procedures |
PS-1 |
PS-1.9 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency]. |
| CCI-001512 |
The organization assigns a risk designation to all organizational positions. |
The organization conducting the inspection/assessment obtains and examines documentation of the ADP/IT level designations. |
The organization being inspected/assessed will designate and document all organizational positions, to include government and contract positions, with the appropriate ADP/IT level designation, IAW DoD 5200.2-R. |
Position Risk Designation |
PS-2 |
PS-2.1 |
Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3. |
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency]. |
| CCI-001513 |
The organization establishes screening criteria for individuals filling organizational positions. |
DoD 5200.2-R meets the DoD requirements for establishing screening criteria for individuals filling organizational positions.
DoD organizations are automatically compliant with this CCI as they are covered at the DoD level by DoD 5200.2-R. |
DoD 5200.2-R meets the DoD requirements for establishing screening criteria for individuals filling organizational positions.
DoD organizations are automatically compliant with this CCI as they are covered at the DoD level by DoD 5200.2-R. |
Position Risk Designation |
PS-2 |
PS-2.2 |
Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3. |
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency]. |
| CCI-001514 |
The organization reviews and updates position risk designations in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment reviews the audit records of the position designation reviews to ensure reviews are done annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed reviews position risk designations annually and revises designations as required based on the reviews.
Records of these reviews must be maintained as an audit trail.
DoD has defined the frequency as annually. |
Position Risk Designation |
PS-2 |
PS-2.3 |
Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3. |
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency]. |
| CCI-001515 |
The organization defines the frequency with which to review and update position risk designations. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Position Risk Designation |
PS-2 |
PS-2.4 |
Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3. |
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency]. |
| CCI-001516 |
The organization screens individuals prior to authorizing access to the information system. |
The organization conducting the inspection/assessment obtains and examines the information system access list (AC-2) and compares a sampling of authorized users to manning documents (PS-2) to ensure access was granted appropriately IAW ADP/IT level designation requirements within DoD 5200.2-R. |
The organization being inspected/assessed will screen all government and contract personnel to ensure they meet the appropriate ADP/IT level designation requirements IAW DoD 5200.2-R prior to authorizing access to the information system. |
Personnel Screening |
PS-3 |
PS-3.1 |
Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization -defined conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening]. |
| CCI-001517 |
The organization rescreens individuals with authorized access to the information system according to organization-defined conditions requiring rescreening, and where rescreening is so indicated, on the organization-defined frequency of such rescreening. |
The organization conducting the inspection/assessment obtains and examines audit records of rescreening actions to ensure the system owner is rescreening individuals according to a system owner-defined list of conditions requiring rescreening and, where re-screening is so indicated, based on the system owner-defined frequency of such rescreening. |
The information system owner will rescreen individuals according to system owner defined list of conditions requiring rescreening (CCI-001518) individuals for access to the information system and frequency (CCI - 001519) of such rescreening.
Rescreening actions will be maintained as an audit trail (AU-2). |
Personnel Screening |
PS-3 |
PS-3.2 |
Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization -defined conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening]. |
| CCI-001518 |
The organization defines the conditions requiring rescreening of individuals with authorized access to the information system. |
The organization conducting the inspection/assessment obtains and examines the documentation of conditions requiring rescreening of individuals for access to the information system.
DoD has determined the list of conditions is not appropriate to define at the Enterprise level. |
The information system owner will develop and document the list of conditions requiring rescreening individuals for access to the information system.
DoD has determined the list of conditions is not appropriate to define at the Enterprise level. |
Personnel Screening |
PS-3 |
PS-3.3 |
Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization -defined conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening]. |
| CCI-001519 |
The organization defines the frequency for rescreening individuals with authorized access to the information system when organization-defined conditions requiring rescreening are met. |
The organization conducting the inspection/assessment obtains and examines the documentation defining the required frequency for rescreening individuals for access to the system.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The information system owner will define and document the required frequency of rescreening for access to the information system.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Personnel Screening |
PS-3 |
PS-3.4 |
Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. |
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization -defined conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening]. |
| CCI-001520 |
The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. |
The organization conducting the inspection/assessment obtains and examines security clearance data for all individuals using the classified information system and the system account list (AC-2) and compares lists to ensure all personnel accessing the system are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. |
The organization being inspected/assessed ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. |
Personnel Screening | Classified Information |
PS-3 (1) |
PS-3(1).1 |
Related controls: AC-3, AC-4. |
The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. |
| CCI-001521 |
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system. |
The organization conducting the inspection/assessment obtains and examines security clearance data for all individuals using the classified information system and the system account list (AC-2) and compares lists to ensure all personnel accessing the system are formally indoctrinated for all of the relevant types of information to which they have access on the system. |
The organization being inspected/assessed ensures that individuals accessing an information system processing, storing, or transmitting types of classified information (e.g. Special Access Programs (SAP), Restricted Data (RD), and Sensitive Compartmented Information (SCI)) which require formal indoctrination, is formally indoctrinated for all of the relevant types of information to which they have access on the system. |
Personnel Screening | Formal Indoctrination |
PS-3 (2) |
PS-3(2).1 |
Types of classified information requiring formal indoctrination include, for example, Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartment Information (SCI). Related controls: AC-3, AC-4. |
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system. |
| CCI-001522 |
The organization, upon termination of individual employment, disables information system access within an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines organizational security policy and procedures documentation and audit records of account termination actions to ensure account termination actions are conducted immediately and IAW organizational security policy and procedures.
DoD has defined the time period as immediately. |
The organization being inspected/assessed upon termination of individual employment, terminates information system access immediately and IAW organization security policy and procedures. The organization must retain an audit trail of account termination actions (AU-2).
DoD has defined the time period as immediately. |
Personnel Termination |
PS-4 |
PS-4.1 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001523 |
The organization, upon termination of individual employment, conducts exit interviews that include a discussion of organization-defined information security topics. |
The organization conducting the inspection/assessment obtains and examines documentation of departed personnel and the audit trail of conducted exit interviews to ensure all departed personnel had exit interviews conducted that include a discussion of information security topics defined in PS-4, CCI 3024. |
The organization being inspected/assessed, conducts exit interviews that include a discussion of information security topics defined in PS-4, CCI 3024 upon termination of individual employment IAW organization security policy and procedures. The organization must retain an audit trail of conducted exit interviews (AU-2) |
Personnel Termination |
PS-4 |
PS-4.4 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001524 |
The organization, upon termination of individual employment, retrieves all security-related organizational information system-related property. |
The organization conducting the inspection/assessment obtains and examines appropriate organization security-related organizational information systems-related property documentation/logs and compares to audit trail of all retrieved security-related organizational information systems-related property (AU-2) to ensure all property has been retrieved. |
The organization being inspected/assessed upon termination of individual employment retrieves all security-related organizational information systems-related property IAW organization security policy and procedures. The organization must retain an audit trail of all retrieved security-related organizational information systems-related property (AU-2). |
Personnel Termination |
PS-4 |
PS-4.6 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001525 |
The organization, upon termination of individual employment, retains access to organizational information formerly controlled by the terminated individual. |
The organization conducting the inspection/assessment interviews appropriate IT and security personnel to validate the organization has procedures in place which, upon termination of individual's employment, will ensure it retains access to organizational information formerly controlled by the terminated individual. |
The organization being inspected/assessed upon termination of individual employment retains access to organizational information formerly controlled by terminated individual IAW organization security policy and procedures.
Organizational information formerly controlled by terminated individuals generally refers to online work-product including email files. |
Personnel Termination |
PS-4 |
PS-4.7 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001526 |
The organization, upon termination of individual employment, retains access to organizational information systems formerly controlled by the terminated individual. |
The organization conducting the inspection/assessment interviews appropriate IT and security personnel to validate the organization has procedures in place which, upon termination of individual's employment, will ensure it retains access to organizational information systems formerly controlled by the terminated individual. |
The organization being inspected/assessed upon termination of individual employment retains access to organizational information systems formerly controlled by terminated individual IAW organization security policy and procedures.
Organizational information systems formerly controlled by terminated individuals generally refers to issued hardware (e.g. laptops, BlackBerrys, PEDs, removable media, etc.) |
Personnel Termination |
PS-4 |
PS-4.8 |
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001527 |
The organization reviews and confirms the ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure that the organization has confirmed the ongoing operational need for logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization. |
The organization being inspected/assessed reviews and confirms ongoing operational need for logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization.
The organization must maintain an audit trail of reviews. |
Personnel Transfer |
PS-5 |
PS-5.1 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001528 |
The organization initiates organization-defined transfer or reassignment actions within an organization-defined time period following the formal personnel transfer action. |
The organization conducting the inspection/assessment obtains and examines appropriate organization security-related organizational physical and logical access documentation/logs and compares to transferred personnel documentation to ensure appropriate logical and physical access have been revoked for previous positions and granted for new positions immediately.
DoD defines the time period as immediately. |
The organization being inspected/assessed initiates transfer or reassignment actions to ensure all system accesses no longer required are removed and actions to ensure all system accesses required due to the individual's new position are granted immediately when personnel are reassigned or transferred to other positions.
DoD defines transfer or reassignment actions as actions to ensure all system accesses no longer required are removed.
DoD defines the time period as immediately. |
Personnel Transfer |
PS-5 |
PS-5.2 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001529 |
The organization defines transfer or reassignment actions to initiate within an organization-defined time period following the formal personnel transfer action. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD defines transfer or reassignment actions as actions to ensure all system accesses no longer required are removed. |
DoD defines transfer or reassignment actions as actions to ensure all system accesses no longer required are removed. |
Personnel Transfer |
PS-5 |
PS-5.3 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001530 |
The organization defines the time period within which the organization initiates organization-defined transfer or reassignment actions following the formal personnel transfer action. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD defines the time period as immediately. |
DoD defines the time period as immediately. |
Personnel Transfer |
PS-5 |
PS-5.4 |
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. |
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
| CCI-001531 |
The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access. |
The organization conducting the inspection/assessment obtains a list of organizational individuals with active accounts and validates the existence of signed DD Form 2875 (paper or electronic) associated with a sampling of individuals selected from the list. |
The organization being inspected/assessed will ensure all individuals have appropriate access agreements in place prior to being granted access to information and information systems.
DD Form 2875 is the accepted DoD methodology of requesting and granting of access to information and information systems. |
Access Agreements |
PS-6 |
PS-6.4 |
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
| CCI-001532 |
The organization reviews and updates access agreements for organizational information systems in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail to ensure review/update occurred annually and departed employees no longer have valid access agreements. |
The organization being inspected/assessed reviews/updates the access agreements annually of employees who have signed access agreements. The purpose of this review/update is to ensure access agreements are current and departed employees no longer have access agreements.
The organization must maintain an audit trail of the review and update activity for review.
DoD has defined the frequency as annually. |
Access Agreements |
PS-6 |
PS-6.2 |
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
| CCI-001533 |
The organization defines the frequency with which to review and update access agreements for organizational information systems. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Access Agreements |
PS-6 |
PS-6.3 |
Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
| CCI-001534 |
The organization ensures that access to information with special protection measures is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties. |
|
|
|
|
|
|
|
| CCI-001535 |
The organization ensures that access to information with special protection measures is granted only to individuals who satisfy associated personnel security criteria. |
|
|
|
|
|
|
|
| CCI-001536 |
The organization ensures that access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties. |
The organization conducting the inspection/assessment obtains a list of organizational individuals with active accounts and validates the existence of signed DD Form 2875 (paper or electronic) associated with individuals requiring access to classified information with special protection. |
The organization being inspected/assessed will grant access to classified information requiring special protection only to individuals who have a valid access authorization that is demonstrated by assigned official government duties.
DD Form 2875 is the accepted DoD methodology of requesting and granting of access to information and information systems. |
Access Agreements | Classified Information Requiring Special Protection |
PS-6 (2) |
PS-6(2).1 |
Classified information requiring special protection includes, for example, collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
The organization ensures that access to classified information requiring special protection is granted only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties;
(b) Satisfy associated personnel security criteria; and
(c) Have read, understood, and signed a nondisclosure agreement. |
| CCI-001537 |
The organization ensures that access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria. |
The organization conducting the inspection/assessment reviews access agreements; access authorizations; personnel security criteria; along with other relevant documents or records to ensure the organization has granted authorized access to classified information requiring special protection only to those individuals who have satisfied the associated personnel security criteria. |
The organization being inspected/assessed ensures all authorized access to classified information requiring special protection is granted only to those individuals who have satisfied the associated personnel security criteria.
DD Form 2875 is the accepted DoD methodology of requesting and granting of access to information and information systems. |
Access Agreements | Classified Information Requiring Special Protection |
PS-6 (2) |
PS-6(2).2 |
Classified information requiring special protection includes, for example, collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
The organization ensures that access to classified information requiring special protection is granted only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties;
(b) Satisfy associated personnel security criteria; and
(c) Have read, understood, and signed a nondisclosure agreement. |
| CCI-001538 |
The organization ensures that access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a nondisclosure agreement. |
The organization conducting the inspection/assessment obtains and examines the access roster and requests the signed nondisclosure agreements of a sampling of individuals to validate the organization requires all access to classified information requiring special protection is granted only to individuals who have a signed nondisclosure agreement. |
The organization being inspected/assessed grants access to classified information requiring special protection only to individuals who have read, understood, and signed a nondisclosure agreement. |
Access Agreements | Classified Information Requiring Special Protection |
PS-6 (2) |
PS-6(2).3 |
Classified information requiring special protection includes, for example, collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
The organization ensures that access to classified information requiring special protection is granted only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties;
(b) Satisfy associated personnel security criteria; and
(c) Have read, understood, and signed a nondisclosure agreement. |
| CCI-001539 |
The organization establishes personnel security requirements including security roles and responsibilities for third-party providers. |
DoD 5220.22-M, DoD 5220.22-R, DoD 5200.2-R, DoD 8570.01-M and DoDI 3020.41 meet the DoD personnel security requirements including security roles and responsibilities for third-party providers.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoD 5220.22-M, DoD 5220.22-R, DoD 5200.2-R, DoD 8570.01-M and DoDI 3020.41. |
DoD 5220.22-M, DoD 5220.22-R, DoD 5200.2-R, DoD 8570.01-M and DoDI 3020.41 meet the DoD personnel security requirements including security roles and responsibilities for third-party providers.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoD 5220.22-M, DoD 5220.22-R, DoD 5200.2-R, DoD 8570.01-M and DoDI 3020.41. |
Third-Party Personnel Security |
PS-7 |
PS-7.1 |
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance. |
| CCI-001540 |
The organization documents personnel security requirements for third-party providers. |
The organization conducting the inspection/assessment obtains and examines the personnel security requirements to ensure the organization being inspected/assessed documents personnel security requirements for third-party providers. |
The organization being inspected/assessed documents personnel security requirements for third-party providers. |
Third-Party Personnel Security |
PS-7 |
PS-7.3 |
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance. |
| CCI-001541 |
The organization monitors third-party provider compliance with personnel security requirements. |
The organization conducting the inspection/assessment obtains and examines the audit trail of monitoring activity to ensure the organization being inspected/assessed monitors third-party provider compliance with personnel security requirements. |
The organization being inspected/assessed monitors third-party provider compliance with personnel security requirements.
The organization must maintain an audit trail of monitoring activity. |
Third-Party Personnel Security |
PS-7 |
PS-7.7 |
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. |
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance. |
| CCI-001542 |
The organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures. |
The organization conducting the inspection/assessment obtains and examines the organizational security policy to ensure it addresses formal procedures for sanctions and interviews security personnel to validate the organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures. |
The organization being inspected/assessed will develop formal procedures within the organizational security policy to employ formal sanctions for personnel failing to comply with established information security policies and procedures. |
Personnel Sanctions |
PS-8 |
PS-8.1 |
Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6. |
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. |
| CCI-002106 |
The organization documents the access control policy. |
|
|
|
|
|
|
|
| CCI-002107 |
The organization defines the personnel or roles to be recipients of the access control policy necessary to facilitate the implementation of the access control policy and associated access controls. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all personnel. |
DoD has defined the personnel or roles as all personnel. |
Access Control Policy And Procedures |
AC-1 |
AC-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-002108 |
The organization defines the personnel or roles to be recipients of the procedures necessary to facilitate the implementation of the access control policy and associated access controls. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all personnel. |
DoD has defined the personnel or roles as all personnel. |
Access Control Policy And Procedures |
AC-1 |
AC-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency]. |
| CCI-002109 |
The organization documents procedures to facilitate the implementation of the access control policy and associated access controls. |
|
|
|
|
|
|
|
| CCI-002110 |
The organization defines the information system account types that support the organizational missions/business functions. |
The organization conducting the inspection/assessment obtains and examines the documented information system account types to ensure the organization being inspected/assessed defines the information system account types that support the organizational missions/business functions.
DoD has determined the information system account types are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system account types that support the organizational missions/business functions.
DoD has determined the information system account types are not appropriate to define at the Enterprise level. |
Account Management |
AC-2 |
AC-2.1 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002111 |
The organization identifies and selects the organization-defined information system account types of information system accounts which support organizational missions/business functions. |
The account types are defined per AC-2, CCI 2110. |
The account types are defined per AC-2, CCI 2110. |
Account Management |
AC-2 |
AC-2.2 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002112 |
The organization assigns account managers for information system accounts. |
The organization conducting the inspection/assessment obtains and examines the documented appointment of management personnel to ensure that the organization being inspected/assessed has documented personnel responsible for the management of system accounts. |
The organization being inspected/assessed documents personnel responsible for the management of system accounts. |
Account Management |
AC-2 |
AC-2.3 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002113 |
The organization establishes conditions for role membership. |
The organization conducting the inspection/assessment obtains and examines the documented conditions for adding accounts as members of roles to ensure that the conditions are established. |
The organization being inspected/assessed documents conditions for adding accounts as members of roles. |
Account Management |
AC-2 |
AC-2.5 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002114 |
The organization specifies authorized users of the information system for each account. |
|
|
|
|
|
|
|
| CCI-002115 |
The organization specifies authorized users of the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of authorized users for a sampling of information system accounts to ensure that the authorized users are specified. |
The organization being inspected/assessed documents authorized users of the information system. |
Account Management |
AC-2 |
AC-2.6 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002116 |
The organization specifies authorized group membership on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of authorized groups for a sampling of information system accounts to ensure that the authorized groups are specified. |
The organization being inspected/assessed documents authorized group membership on the information system. |
Account Management |
AC-2 |
AC-2.7 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002117 |
The organization specifies authorized role membership on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of authorized roles for a sampling of information system accounts to ensure that the authorized roles are specified |
The organization being inspected/assessed documents authorized role membership on the information system. |
Account Management |
AC-2 |
AC-2.8 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002118 |
The organization specifies access authorizations (i.e., privileges) for each account on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of access authorizations for a sampling of information system accounts to ensure that the access authorizations are specified. |
The organization being inspected/assessed documents access authorizations (i.e., privileges) for each account on the information system. |
Account Management |
AC-2 |
AC-2.9 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002119 |
The organization specifies other attributes for each account on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of other attributes for a sampling of information system accounts to ensure that other attributes are specified. |
The organization being inspected/assessed documents other attributes for each account on the information system. |
Account Management |
AC-2 |
AC-2.10 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002120 |
The organization defines the personnel or roles authorized to approve the creation of information system accounts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSM or ISSO. |
DoD has defined the personnel or roles as the ISSM or ISSO. |
Account Management |
AC-2 |
AC-2.12 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002121 |
The organization defines the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts. |
The organization conducting the inspection/assessment obtains and examines the documented procedures or conditions to ensure the organization being inspected/assessed defines the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts.
DoD has determined the procedures or conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts.
DoD has determined the procedures or conditions are not appropriate to define at the Enterprise level. |
Account Management |
AC-2 |
AC-2.14 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002122 |
The organization monitors the use of information system accounts. |
The organization conducting the inspection/assessment obtains and examines the audit trail to ensure that the organization being inspected/assessed implements a process to monitor the use of information system accounts. |
The organization being inspected/assessed implements a process to monitor the use of information system accounts. |
Account Management |
AC-2 |
AC-2.15 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002123 |
The organization notifies account managers when accounts are no longer required. |
The organization conducting the inspection/assessment obtains and examines the audit trail of notifications to ensure the organization being inspected/assessed implements a process to notify account managers when accounts are no longer required. |
The organization being inspected/assessed implements a process to notify account managers when accounts are no longer required.
The organization being inspected/assessed maintains an audit trail of notifications. |
Account Management |
AC-2 |
AC-2.16 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002124 |
The organization notifies account managers when users are terminated or transferred. |
The organization conducting the inspection/assessment obtains and examines the audit trail of notifications to ensure the organization being inspected/assessed implements a process to notify account managers when users are terminated or transferred. |
The organization being inspected/assessed implements a process to notify account managers when users are terminated or transferred.
The organization being inspected/assessed maintains an audit trail of notifications. |
Account Management |
AC-2 |
AC-2.17 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002125 |
The organization notifies account managers when individual information system usage or need-to-know changes. |
The organization conducting the inspection/assessment obtains and examines the audit trail of notifications to ensure the organization being inspected/assessed implements a process to notify account managers when individual information system usage or need-to-know changes. |
The organization being inspected/assessed implements a process to notify account managers when individual information system usage or need-to-know changes.
The organization being inspected/assessed maintains an audit trail of notifications. |
Account Management |
AC-2 |
AC-2.18 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002126 |
The organization authorizes access to the information system based on a valid access authorization. |
The organization conducting the inspection/assessment obtains and examines the audit trail of approved access to ensure the organization being inspected/assessed authorizes access to the information system based on the access authorization process. |
The organization being inspected/assessed authorizes access to the information system based on the access authorization process.
The organization being inspected/assessed maintains an audit trail of approved access. |
Account Management |
AC-2 |
AC-2.19 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002127 |
The organization authorizes access to the information system based on intended system usage. |
The organization conducting the inspection/assessment obtains and examines the audit trail of approved access to ensure the organization being inspected/assessed authorizes access to the information system based on intended system usage. |
The organization being inspected/assessed authorizes access to the information system based on intended system usage.
The organization being inspected/assessed maintains an audit trail of approved access. |
Account Management |
AC-2 |
AC-2.20 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002128 |
The organization authorizes access to the information system based on other attributes as required by the organization or associated missions/business functions. |
The organization conducting the inspection/assessment obtains and examines the audit trail of approved access to ensure the organization being inspected/assessed authorizes access to the information system based on other attributes as required by the organization or associated missions/business functions. |
The organization being inspected/assessed authorizes access to the information system based on other attributes as required by the organization or associated missions/business functions.
The organization being inspected/assessed maintains an audit trail of approved access. |
Account Management |
AC-2 |
AC-2.21 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002129 |
The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
The organization conducting the inspection/assessment obtains and examines the account management procedures to ensure the organization being inspected/assessed includes in the account management procedures a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
The organization being inspected/assessed includes in the account management procedures a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
Account Management |
AC-2 |
AC-2.24 |
Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PL-4, SC-13. |
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| CCI-002130 |
The information system automatically audits account enabling actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically audit account enabling actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2130. |
The organization being inspected/assessed configures the information system to automatically audit account enabling actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2130. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).9 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-002131 |
The organization defines the personnel or roles to be notified on account creation, modification, enabling, disabling, and removal actions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the system administrator and ISSO. |
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).10 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-002132 |
The information system notifies organization-defined personnel or roles for account enabling actions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account enabling actions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2132.
DoD has defined the personnel or roles as the system administrator and ISSO. |
The organization being inspected/assessed configures the information system to notify the system administrator and ISSO for account enabling actions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2132.
DoD has defined the personnel or roles as the system administrator and ISSO. |
Account Management | Automated Audit Actions |
AC-2 (4) |
AC-2(4).11 |
Related controls: AU-2, AU-12. |
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. |
| CCI-002133 |
The organization defines other conditions when users are required to log out. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure they have been defined.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the other conditions when users are required to log out.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Account Management | Inactivity Logout |
AC-2 (5) |
AC-2(5).1 |
Related control: SC-23. |
The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. |
| CCI-002134 |
The organization defines a list of dynamic privilege management capabilities to be implemented by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list to ensure the dynamic privilege management capabilities have been defined.
DoD has determined the list is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents a list of dynamic privilege management capabilities to be implemented by the information system.
DoD has determined the list is not appropriate to define at the Enterprise level. |
Account Management | Dynamic Privilege Management |
AC-2 (6) |
AC-2(6).1 |
In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, dynamic access control approaches (e.g., service-oriented architectures) rely on run time access control decisions facilitated by dynamic privilege management. While user identities may remain relatively constant over time, user privileges may change more frequently based on ongoing mission/business requirements and operational needs of organizations. Dynamic privilege management can include, for example, the immediate revocation of privileges from users, as opposed to requiring that users terminate and restart their sessions to reflect any changes in privileges. Dynamic privilege management can also refer to mechanisms that change the privileges of users based on dynamic rules as opposed to editing specific user profiles. This type of privilege management includes, for example, automatic adjustments of privileges if users are operating out of their normal work times, or if information systems are under duress or in emergency maintenance situations. This control enhancement also includes the ancillary effects of privilege changes, for example, the potential changes to encryption keys used for communications. Dynamic privilege management can support requirements for information system resiliency. Related control: AC-16. |
The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities]. |
| CCI-002135 |
The information system implements the organization-defined list of dynamic privilege management capabilities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement the list of dynamic privilege management capabilities defined in AC-2 (6), CCI 2134.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2135. |
The organization being inspected/assessed configures the information system to implement the list of dynamic privilege management capabilities defined in AC-2 (6), CCI 2134.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2135. |
Account Management | Dynamic Privilege Management |
AC-2 (6) |
AC-2(6).2 |
In contrast to conventional access control approaches which employ static information system accounts and predefined sets of user privileges, dynamic access control approaches (e.g., service-oriented architectures) rely on run time access control decisions facilitated by dynamic privilege management. While user identities may remain relatively constant over time, user privileges may change more frequently based on ongoing mission/business requirements and operational needs of organizations. Dynamic privilege management can include, for example, the immediate revocation of privileges from users, as opposed to requiring that users terminate and restart their sessions to reflect any changes in privileges. Dynamic privilege management can also refer to mechanisms that change the privileges of users based on dynamic rules as opposed to editing specific user profiles. This type of privilege management includes, for example, automatic adjustments of privileges if users are operating out of their normal work times, or if information systems are under duress or in emergency maintenance situations. This control enhancement also includes the ancillary effects of privilege changes, for example, the potential changes to encryption keys used for communications. Dynamic privilege management can support requirements for information system resiliency. Related control: AC-16. |
The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities]. |
| CCI-002136 |
The organization defines the actions to be taken when privileged role assignments are no longer appropriate. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the actions as disables (or revokes) privileged user account. |
DoD has defined the actions as disables (or revokes) privileged user account. |
Account Management | Role-Based Schemes |
AC-2 (7) |
AC-2(7).4 |
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| CCI-002137 |
The organization takes organization-defined actions when privileged role assignments are no longer appropriate. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of actions taken to ensure the organization being inspected/assessed disables (or revokes) the privileged user account when privileged role assignments are no longer appropriate.
DoD has defined the actions as disables (or revokes) privileged user account. |
The organization being inspected/assessed documents and implements a process to disable (or revoke) the privileged user account when privileged role assignments are no longer appropriate.
The organization must maintain an audit trail of the actions taken.
DoD has defined the actions as disables (or revokes) privileged user account. |
Account Management | Role-Based Schemes |
AC-2 (7) |
AC-2(7).5 |
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| CCI-002138 |
The organization defines the information system accounts that can be dynamically created. |
The organization conducting the inspection/assessment obtains and examines the documented information system accounts to ensure they have been defined.
DoD has determined the information system accounts are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system accounts that can be dynamically created.
DoD has determined the information system accounts are not appropriate to define at the Enterprise level. |
Account Management | Dynamic Account Creation |
AC-2 (8) |
AC-2(8).1 |
Dynamic approaches for creating information system accounts (e.g., as implemented within service-oriented architectures) rely on establishing accounts (identities) at run time for entities that were previously unknown. Organizations plan for dynamic creation of information system accounts by establishing trust relationships and mechanisms with the appropriate authorities to validate related authorizations and privileges. Related control: AC-16. |
The information system creates [Assignment: organization-defined information system accounts] dynamically. |
| CCI-002139 |
The information system creates organization-defined information system accounts dynamically. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically create information system accounts defined in AC-2 (8), CCI 2138.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2139. |
The organization being inspected/assessed configures the information system to dynamically create information system accounts defined in AC-2 (8), CCI 2138.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2139. |
Account Management | Dynamic Account Creation |
AC-2 (8) |
AC-2(8).2 |
Dynamic approaches for creating information system accounts (e.g., as implemented within service-oriented architectures) rely on establishing accounts (identities) at run time for entities that were previously unknown. Organizations plan for dynamic creation of information system accounts by establishing trust relationships and mechanisms with the appropriate authorities to validate related authorizations and privileges. Related control: AC-16. |
The information system creates [Assignment: organization-defined information system accounts] dynamically. |
| CCI-002140 |
The organization defines the conditions for establishing shared/group accounts. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure they have been defined.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions for establishing shared/group accounts.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Account Management | Restrictions On Use Of Shared Groups / Accounts |
AC-2 (9) |
AC-2(9).1 |
|
The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts]. |
| CCI-002141 |
The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts. |
The organization conducting the inspection/assessment examines the shared/group accounts to ensure the organization being inspected/assessed only permits the use of shared/group accounts that meet the conditions for establishing shared/group accounts defined in AC-2 (9), CCI 2140. |
The organization being inspected/assessed only permits the use of shared/group accounts that meet the conditions for establishing shared/group accounts defined in AC-2 (9), CCI 2140. |
Account Management | Restrictions On Use Of Shared Groups / Accounts |
AC-2 (9) |
AC-2(9).2 |
|
The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts]. |
| CCI-002142 |
The information system terminates shared/group account credentials when members leave the group. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to terminate shared/group account credentials when members leave the group.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2142. |
The organization being inspected/assessed configures the information system to terminate shared/group account credentials when members leave the group.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2142. |
Account Management | Shared / Group Account Credential Termination |
AC-2 (10) |
AC-2(10).1 |
|
The information system terminates shared/group account credentials when members leave the group. |
| CCI-002143 |
The organization defines the circumstances and/or usage conditions that are to be enforced for organization-defined information system accounts. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances and/or usage conditions to ensure they have been defined.
DoD has determined the circumstances and/or usage conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the circumstances and/or usage conditions that are to be enforced for organization-defined information system accounts.
DoD has determined the circumstances and/or usage conditions are not appropriate to define at the Enterprise level. |
Account Management | Usage Conditions |
AC-2 (11) |
AC-2(11).1 |
Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time. |
The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]. |
| CCI-002144 |
The organization defines the information system accounts that are to be subject to the enforcement of organization-defined circumstances and/or usage conditions. |
The organization conducting the inspection/assessment obtains and examines the documented information system accounts to ensure they have been defined.
DoD has determined the information system accounts are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system accounts that are to be subject to the enforcement of organization-defined circumstances and/or usage conditions.
DoD has determined the information system accounts are not appropriate to define at the Enterprise level. |
Account Management | Usage Conditions |
AC-2 (11) |
AC-2(11).2 |
Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time. |
The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]. |
| CCI-002145 |
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the circumstances and/or usage conditions defined in AC-2 (11), CCI 2143 for information system accounts defined in AC-2 (11), CCI 2144.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2145. |
The organization being inspected/assessed configures the information system to enforce the circumstances and/or usage conditions defined in AC-2 (11), CCI 2143 for information system accounts defined in AC-2 (11), CCI 2144.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2145. |
Account Management | Usage Conditions |
AC-2 (11) |
AC-2(11).3 |
Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time. |
The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]. |
| CCI-002146 |
The organization defines atypical usage for which the information system accounts are to be monitored. |
The organization conducting the inspection/assessment obtains and examines the documented atypical usage to ensure it has been defined.
DoD has determined atypical usage is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents atypical usage for which the information system accounts are to be monitored.
DoD has determined atypical usage is not appropriate to define at the Enterprise level. |
Account Management | Account Monitoring / Atypical Usage |
AC-2 (12) |
AC-2(12).1 |
Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related control: CA-7. |
The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. |
| CCI-002147 |
The organization monitors information system accounts for organization-defined atypical use. |
The organization conducting the inspection/assessment obtains and examines the audit trail of monitoring to ensure the organization being inspected/assessed monitors information system accounts for atypical use defined in AC-2 (12), CCI 2146. |
The organization being inspected/assessed monitors information system accounts for atypical use defined in AC-2 (12), CCI 2146.
The organization must maintain an audit trail of monitoring. |
Account Management | Account Monitoring / Atypical Usage |
AC-2 (12) |
AC-2(12).2 |
Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related control: CA-7. |
The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. |
| CCI-002148 |
The organization defines the personnel or roles to whom atypical usage of information system accounts are to be reported. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSO. |
DoD has defined the personnel or roles as at a minimum, the ISSO. |
Account Management | Account Monitoring / Atypical Usage |
AC-2 (12) |
AC-2(12).3 |
Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related control: CA-7. |
The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. |
| CCI-002149 |
The organization reports atypical usage of information system accounts to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reporting to ensure the organization being inspected/assessed reports atypical usage defined in AC-2 (12), CCI 2146 of information system accounts to at a minimum, the ISSO.
DoD has defined the personnel or roles as at a minimum, the ISSO. |
The organization being inspected/assessed documents and implements a process to report atypical usage defined in AC-2 (12), CCI 2146 of information system accounts to at a minium, the ISSO.
The organization must maintain an audit trail of reporting.
DoD has defined the personnel or roles as at a minium, the ISSO. |
Account Management | Account Monitoring / Atypical Usage |
AC-2 (12) |
AC-2(12).4 |
Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related control: CA-7. |
The organization:
(a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and
(b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. |
| CCI-002150 |
The organization defines the time period within which the accounts of users posing a significant risk are to be disabled after discovery of the risk. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 30 minutes unless otherwise defined in formal organizational policy.
|
DoD has defined the time period as 30 minutes unless otherwise defined in formal organizational policy.
|
Account Management | Disable Accounts For High-Risk Individuals |
AC-2 (13) |
AC-2(13).1 |
Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement. Related control: PS-4. |
The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk. |
| CCI-002151 |
The organization disables accounts of users posing a significant risk within an organization-defined time period of discovery of the risk. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed disables accounts of users posing a significant risk within 30 minutes unless otherwise defined in formal organizational policy.
DoD has defined the time period as 30 minutes unless otherwise defined in formal organizational policy.
|
The organization being inspected/assessed documents and implements a process to disable accounts of users posing a significant risk within 30 minutes unless otherwise defined in formal organizational policy.
DoD has defined the time period as 30 minutes unless otherwise defined in formal organizational policy.
|
Account Management | Disable Accounts For High-Risk Individuals |
AC-2 (13) |
AC-2(13).2 |
Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement. Related control: PS-4. |
The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk. |
| CCI-002152 |
The organization defines other actions necessary for which dual authorization is to be enforced. |
The organization conducting the inspection/assessment obtains and examines the documented actions to ensure they have been defined.
DoD has determined the other actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the other actions necessary for which dual authorization is to be enforced.
DoD has determined the other actions are not appropriate to define at the Enterprise level. |
Access Enforcement | Dual Authorization |
AC-3 (2) |
AC-3(2).3 |
Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety. Dual authorization may also be known as two-person control. Related controls: CP-9, MP-6. |
The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
| CCI-002153 |
The organization defines the mandatory access control policies that are to be enforced over all subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented mandatory access control policies to ensure they have been defined.
DoD has determined the mandatory access control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the mandatory access control policies that are to be enforced over all subjects and objects.
DoD has determined the mandatory access control policies are not appropriate to define at the Enterprise level. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).1 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002154 |
The mandatory access control policy specifies that the policy is uniformly enforced across all subjects and objects within the boundary of the information system. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to uniformly enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 across all subjects and objects within the boundary of the information system
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2154. |
The organization being inspected/assessed configures the information system to uniformly enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 across all subjects and objects within the boundary of the information system
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2154. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).2 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002155 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2155. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2155. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).3 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002156 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2156. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2156. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).4 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002157 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2157. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2157. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).5 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002158 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2158. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2158. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).6 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002159 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2159. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2159. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).7 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002160 |
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from changing the rules governing access control. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from changing the rules governing access control.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2160. |
The organization being inspected/assessed configures the information system to enforce the mandatory access control policies defined in AC-3 (3), CCI 2153 which specifies that a subject that has been granted access to information is constrained from changing the rules governing access control.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2160. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).8 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002161 |
The organization defines subjects which may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints. |
The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure they have been defined.
DoD has determined that the subjects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents subjects which may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints.
DoD has determined that the subjects are not appropriate to define at the Enterprise level. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).9 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002162 |
The organization defines the privileges that may explicitly be granted to organization-defined subjects such that they are not limited by some or all of the mandatory access control constraints. |
The organization conducting the inspection/assessment obtains and examines the documented privileges to ensure they have been defined.
DoD has determined the privileges are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the privileges that may explicitly be granted to organization-defined subjects such that they are not limited by some or all of the mandatory access control constraints.
DoD has determined the privileges are not appropriate to define at the Enterprise level. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).10 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002163 |
The organization defines the discretionary access control policies the information system is to enforce over subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented access control policies to ensure they have been defined.
DoD has determined that the discretionary access control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the discretionary access control policies the information system is to enforce over subjects and objects.
DoD has determined that the discretionary access control policies are not appropriate to define at the Enterprise level. |
Access Enforcement | Discretionary Access Control |
AC-3 (4) |
AC-3(4).1 |
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. This control enhancement can operate in conjunction with AC-3 (3). A subject that is constrained in its operation by policies governed by AC-3 (3) is still able to operate under the less rigorous constraints of this control enhancement. Thus, while AC-3 (3) imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, AC-3 (4) permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure that the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. |
The information system enforces [Assignment: organization-defined discretionary access control policies] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects;
(c) Change security attributes on subjects, objects, the information system, or the information system's components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control. |
| CCI-002164 |
The organization specifies in the discretionary access control policies that a subject that has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system^s components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control. |
The organization conducting the inspection/assessment obtains and examines the documented discretionary access control policies to ensure the organization being inspected/assessed specifies that a subject which has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system's components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control. |
The organization being inspected/assessed documents the discretionary access control policies that a subject which has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system's components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control. |
Access Enforcement | Discretionary Access Control |
AC-3 (4) |
AC-3(4).2 |
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. This control enhancement can operate in conjunction with AC-3 (3). A subject that is constrained in its operation by policies governed by AC-3 (3) is still able to operate under the less rigorous constraints of this control enhancement. Thus, while AC-3 (3) imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, AC-3 (4) permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure that the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. |
The information system enforces [Assignment: organization-defined discretionary access control policies] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects;
(c) Change security attributes on subjects, objects, the information system, or the information system's components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control. |
| CCI-002165 |
The information system enforces organization-defined discretionary access control policies over defined subjects and objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the discretionary access control policies defined in AC-3 (4), CCI 2163 over defined subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2165. |
The organization being inspected/assessed configures the information system to enforce the discretionary access control policies defined in AC-3 (4), CCI 2163 over defined subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2165. |
Access Enforcement | Discretionary Access Control |
AC-3 (4) |
AC-3(4).3 |
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. This control enhancement can operate in conjunction with AC-3 (3). A subject that is constrained in its operation by policies governed by AC-3 (3) is still able to operate under the less rigorous constraints of this control enhancement. Thus, while AC-3 (3) imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, AC-3 (4) permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure that the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. |
The information system enforces [Assignment: organization-defined discretionary access control policies] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects;
(c) Change security attributes on subjects, objects, the information system, or the information system's components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control. |
| CCI-002166 |
The organization defines the role-based access control policies the information system is to enforce over all subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented role-based access control policies to ensure the organization being inspected/assessed defines the role-based access control policies the information system is to enforce over all subjects and objects. |
The organization being inspected/assessed defines and documents the role-based access control policies the information system is to enforce over all subjects and objects. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).1 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002167 |
The organization defines the subjects over which the information system will enforce a role-based access control policy. |
The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure the organization being inspected/assessed defines the subjects over which the information system will enforce a role-based access control policy. |
The organization being inspected/assessed defines and documents the subjects over which the information system will enforce a role-based access control policy. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).2 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002168 |
The organization defines the objects over which the information system will enforce a role-based access control policy. |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the objects over which the information system will enforce a role-based access control policy. |
The organization being inspected/assessed defines and documents the objects over which the information system will enforce a role-based access control policy. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).3 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002169 |
The information system enforces a role-based access control policy over defined subjects and objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce a roles-based access control policy over defined subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2169. |
The organization being inspected/assessed configures the information system to enforce a roles-based access control policy over defined subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2169. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).4 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002170 |
The information system controls access based upon organization-defined roles and users authorized to assume such roles. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to control access based upon the roles and users defined in AC-3 (7), CCIs 2173 and 2174 authorized to assume such roles.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2170. |
The organization being inspected/assessed configures the information system to control access based upon the roles and users defined in AC-3 (7), CCIs 2173 and 2174 authorized to assume such roles.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2170. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).5 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002171 |
The information system enforces a role-based access control policy over organization-defined subjects. |
|
|
|
|
|
|
|
| CCI-002172 |
The information system enforces a role-based access control policy over organization-defined objects. |
|
|
|
|
|
|
|
| CCI-002173 |
The organization defines the roles for which the information system will control access based upon the organization-defined role-based access control policy. |
The organization conducting the inspection/assessment obtains and examines the documented roles to ensure the organization being inspected/assessed defines the roles the information system will control access based upon the organization-defined role-based access control policy.
DoD has determined the roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the roles the information system will control access based upon the organization-defined role-based access control policy.
DoD has determined the roles are not appropriate to define at the Enterprise level. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).6 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002174 |
The organization defines the users for which the information system will control access based upon the organization-defined role-based access control policy. |
The organization conducting the inspection/assessment obtains and examines the documented roles to ensure the organization being inspected/assessed defines the users the information system will control access based upon the organization-defined role-based access control policy.
DoD has determined the users are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the users the information system will control access based upon the organization-defined role-based access control policy.
DoD has determined the users are not appropriate to define at the Enterprise level. |
Access Enforcement | Role-Based Access Control |
AC-3 (7) |
AC-3(7).7 |
Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3 (3) define the scope of the subjects and objects covered by the policy. |
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
| CCI-002175 |
The information system controls access based upon organization-defined roles authorized to assume such roles, employing the organization-defined role-based access control policy. |
|
|
|
|
|
|
|
| CCI-002176 |
The information system controls access based upon organization-defined users authorized to assume such roles, employing the organization-defined role-based access control policy. |
|
|
|
|
|
|
|
| CCI-002177 |
The organization defines the rules which will govern the timing of revocation of access authorizations. |
The organization conducting the inspection/assessment obtains and examines the documented rules to ensure the organization being inspected/assessed defines the rules which will govern the timing of revocation of access authorizations.
DoD has determined the rules are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the rules which will govern the timing of revocation of access authorizations.
DoD has determined the rules are not appropriate to define at the Enterprise level. |
Access Enforcement | Revocation Of Access Authorizations |
AC-3 (8) |
AC-3(8).1 |
Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. Organizations can provide alternative approaches on how to make revocations immediate if information systems cannot provide such capability and immediate revocation is necessary. |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. |
| CCI-002178 |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects based on organization-defined rules governing the timing of revocations of access authorizations. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the revocation of access authorizations resulting from changes to the security attributes of subjects based on the rules defined in AC-3 (8), CCI 2177 governing the timing of revocations of access authorizations.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2178. |
The organization being inspected/assessed configures the information system to enforce the revocation of access authorizations resulting from changes to the security attributes of subjects based on the rules defined in AC-3 (8), CCI 2177 governing the timing of revocations of access authorizations.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2178. |
Access Enforcement | Revocation Of Access Authorizations |
AC-3 (8) |
AC-3(8).2 |
Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. Organizations can provide alternative approaches on how to make revocations immediate if information systems cannot provide such capability and immediate revocation is necessary. |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. |
| CCI-002179 |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the revocation of access authorizations resulting from changes to the security attributes of objects based on the rules defined in AC-3 (8), CCI 2177 governing the timing of revocations of access authorizations.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2179. |
The organization being inspected/assessed configures the information system to enforce the revocation of access authorizations resulting from changes to the security attributes of objects based on the rules defined in AC-3 (8), CCI 2177 governing the timing of revocations of access authorizations.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2179. |
Access Enforcement | Revocation Of Access Authorizations |
AC-3 (8) |
AC-3(8).3 |
Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. Organizations can provide alternative approaches on how to make revocations immediate if information systems cannot provide such capability and immediate revocation is necessary. |
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. |
| CCI-002180 |
The organization defines the security safeguards the organization-defined information system or system component is to provide to protect information released outside the established system boundary. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards the organization-defined information system or system component is to provide to protect information released outside the established system boundary.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards the organization-defined information system or system component is to provide to protect information released outside the established system boundary.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Access Enforcement | Controlled Release |
AC-3 (9) |
AC-3(9).1 |
Information systems can only protect organizational information within the confines of established system boundaries. Additional security safeguards may be needed to ensure that such information is adequately protected once it is passed beyond the established information system boundaries. Examples of information leaving the system boundary include transmitting information to an external information system or printing the information on one of its printers. In cases where the information system is unable to make a determination of the adequacy of the protections provided by entities outside its boundary, as a mitigating control, organizations determine procedurally whether the external information systems are providing adequate security. The means used to determine the adequacy of the security provided by external information systems include, for example, conducting inspections or periodic testing, establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security policy to protect the information. This control enhancement requires information systems to employ technical or procedural means to validate the information prior to releasing it to external systems. For example, if the information system passes information to another system controlled by another organization, technical means are employed to validate that the security attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the information system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only appropriately authorized individuals gain access to the printer. This control enhancement is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes policy regarding access to the information, and that policy applies beyond the realm of a particular information system or organization. |
The information system does not release information outside of the established system boundary unless:
(a) The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| CCI-002181 |
The organization defines information systems or system components that are to provide organization-defined security safeguards to protect information received outside the established system boundary. |
The organization conducting the inspection/assessment obtains and examines the documented information systems or system components to ensure the organization being inspected/assessed defines the information systems or system components that are to provide organization-defined security safeguards to protect information received outside the established system boundary.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems or system components that are to provide organization-defined security safeguards to protect information received outside the established system boundary.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Access Enforcement | Controlled Release |
AC-3 (9) |
AC-3(9).2 |
Information systems can only protect organizational information within the confines of established system boundaries. Additional security safeguards may be needed to ensure that such information is adequately protected once it is passed beyond the established information system boundaries. Examples of information leaving the system boundary include transmitting information to an external information system or printing the information on one of its printers. In cases where the information system is unable to make a determination of the adequacy of the protections provided by entities outside its boundary, as a mitigating control, organizations determine procedurally whether the external information systems are providing adequate security. The means used to determine the adequacy of the security provided by external information systems include, for example, conducting inspections or periodic testing, establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security policy to protect the information. This control enhancement requires information systems to employ technical or procedural means to validate the information prior to releasing it to external systems. For example, if the information system passes information to another system controlled by another organization, technical means are employed to validate that the security attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the information system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only appropriately authorized individuals gain access to the printer. This control enhancement is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes policy regarding access to the information, and that policy applies beyond the realm of a particular information system or organization. |
The information system does not release information outside of the established system boundary unless:
(a) The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| CCI-002182 |
The information system does not release information outside of the established system boundary unless the receiving organization-defined information system or system component provides organization-defined security safeguards. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to not release information outside of the established system boundary unless the receiving information system or system component defined in AC-3 (9), CCI 2181 provides security safeguards defined in AC-3 (9), CCI 2180.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2182. |
The organization being inspected/assessed configures the information system to not release information outside of the established system boundary unless the receiving information system or system component defined in AC-3 (9), CCI 2181 provides security safeguards defined in AC-3 (9), CCI 2180.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2182. |
Access Enforcement | Controlled Release |
AC-3 (9) |
AC-3(9).3 |
Information systems can only protect organizational information within the confines of established system boundaries. Additional security safeguards may be needed to ensure that such information is adequately protected once it is passed beyond the established information system boundaries. Examples of information leaving the system boundary include transmitting information to an external information system or printing the information on one of its printers. In cases where the information system is unable to make a determination of the adequacy of the protections provided by entities outside its boundary, as a mitigating control, organizations determine procedurally whether the external information systems are providing adequate security. The means used to determine the adequacy of the security provided by external information systems include, for example, conducting inspections or periodic testing, establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security policy to protect the information. This control enhancement requires information systems to employ technical or procedural means to validate the information prior to releasing it to external systems. For example, if the information system passes information to another system controlled by another organization, technical means are employed to validate that the security attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the information system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only appropriately authorized individuals gain access to the printer. This control enhancement is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes policy regarding access to the information, and that policy applies beyond the realm of a particular information system or organization. |
The information system does not release information outside of the established system boundary unless:
(a) The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| CCI-002183 |
The organization defines the security safeguards to be used to validate the appropriateness of the information designated for release. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be used to validate the appropriateness of the information designated for release.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be used to validate the appropriateness of the information designated for release.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Access Enforcement | Controlled Release |
AC-3 (9) |
AC-3(9).4 |
Information systems can only protect organizational information within the confines of established system boundaries. Additional security safeguards may be needed to ensure that such information is adequately protected once it is passed beyond the established information system boundaries. Examples of information leaving the system boundary include transmitting information to an external information system or printing the information on one of its printers. In cases where the information system is unable to make a determination of the adequacy of the protections provided by entities outside its boundary, as a mitigating control, organizations determine procedurally whether the external information systems are providing adequate security. The means used to determine the adequacy of the security provided by external information systems include, for example, conducting inspections or periodic testing, establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security policy to protect the information. This control enhancement requires information systems to employ technical or procedural means to validate the information prior to releasing it to external systems. For example, if the information system passes information to another system controlled by another organization, technical means are employed to validate that the security attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the information system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only appropriately authorized individuals gain access to the printer. This control enhancement is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes policy regarding access to the information, and that policy applies beyond the realm of a particular information system or organization. |
The information system does not release information outside of the established system boundary unless:
(a) The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| CCI-002184 |
The information system does not release information outside of the established system boundary unless organization-defined security safeguards are used to validate the appropriateness of the information designated for release. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to not release information outside of the established system boundary unless security safeguards defined in AC-3 (9), CCI 2183 are used to validate the appropriateness of the information designated for release.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2184. |
The organization being inspected/assessed configures the information system to not release information outside of the established system boundary unless security safeguards defined in AC-3 (9), CCI 2183 are used to validate the appropriateness of the information designated for release.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2184. |
Access Enforcement | Controlled Release |
AC-3 (9) |
AC-3(9).5 |
Information systems can only protect organizational information within the confines of established system boundaries. Additional security safeguards may be needed to ensure that such information is adequately protected once it is passed beyond the established information system boundaries. Examples of information leaving the system boundary include transmitting information to an external information system or printing the information on one of its printers. In cases where the information system is unable to make a determination of the adequacy of the protections provided by entities outside its boundary, as a mitigating control, organizations determine procedurally whether the external information systems are providing adequate security. The means used to determine the adequacy of the security provided by external information systems include, for example, conducting inspections or periodic testing, establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security policy to protect the information. This control enhancement requires information systems to employ technical or procedural means to validate the information prior to releasing it to external systems. For example, if the information system passes information to another system controlled by another organization, technical means are employed to validate that the security attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the information system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only appropriately authorized individuals gain access to the printer. This control enhancement is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes policy regarding access to the information, and that policy applies beyond the realm of a particular information system or organization. |
The information system does not release information outside of the established system boundary unless:
(a) The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
(b) [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| CCI-002185 |
The organization defines the conditions on which it will employ an audited override of automated access control mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines the conditions in which it will employ an audited override of automated access control mechanisms.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions in which it will employ an audited override of automated access control mechanisms.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Access Enforcement | Audited Override Of Access Control Mechanisms |
AC-3 (10) |
AC-3(10).1 |
Related controls: AU-2, AU-6. |
The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions]. |
| CCI-002186 |
The organization employs an audited override of automated access control mechanisms under organization-defined conditions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ an audited override of automated access control mechanisms under conditions defined in AC-3 (10), CCI 2185.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2186. |
The organization being inspected/assessed configures the information system to employ an audited override of automated access control mechanisms under conditions defined in AC-3 (10), CCI 2185.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2186. |
Access Enforcement | Audited Override Of Access Control Mechanisms |
AC-3 (10) |
AC-3(10).2 |
Related controls: AU-2, AU-6. |
The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions]. |
| CCI-003014 |
The information system enforces organization-defined mandatory access control policies over all subjects and objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce mandatory access control policies defined in AC-3 (3), CCI 2153 over all subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 3014. |
The organization being inspected/assessed configures the information system to enforce mandatory access control policies defined in AC-3 (3), CCI 2153 over all subjects and objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 3014. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).11 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-003015 |
The mandatory access control policy specifies that organization-defined subjects may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to explicitly grant privileges defined in AC-3 (3), CCI 2162 such that they are not limited by some or all of the mandatory access control constraints.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 3015. |
The organization being inspected/assessed configures the information system to explicitly grant privileges defined in AC-3 (3), CCI 2162 such that they are not limited by some or all of the mandatory access control constraints.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 3015. |
Access Enforcement | Mandatory Access Control |
AC-3 (3) |
AC-3(3).12 |
Mandatory access control as defined in this control enhancement is synonymous with nondiscretionary access control, and is not constrained only to certain historical uses (e.g., implementations using the Bell-LaPadula Model). The above class of mandatory access control policies constrains what actions subjects can take with information obtained from data objects for which they have already been granted access, thus preventing the subjects from passing the information to unauthorized subjects and objects. This class of mandatory access control policies also constrains what actions subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the information system has control. Otherwise, the access control policy can be circumvented. This enforcement typically is provided via an implementation that meets the reference monitor concept (see AC-25). The policy is bounded by the information system boundary (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect). The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6). Trusted subjects are only given the minimum privileges relative to the above policy necessary for satisfying organizational mission/business needs. The control is most applicable when there is some policy mandate (e.g., law, Executive Order, directive, or regulation) that establishes a policy regarding access to sensitive/classified information and some users of the information system are not authorized access to all sensitive/classified information resident in the information system. This control can operate in conjunction with AC-3 (4). A subject that is constrained in its operation by policies governed by this control is still able to operate under the less rigorous constraints of AC-3 (4), but policies governed by this control take precedence over the less rigorous constraints of AC-3 (4). For example, while a mandatory access control policy imposes a constraint preventing a subject from passing information to another subject operating at a different sensitivity label, AC-3 (4) permits the subject to pass the information to any subject with the same sensitivity label as the subject. Related controls: AC-25, SC-11. |
The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:
(a) The policy is uniformly enforced across all subjects and objects within the boundary of the information system;
(b) A subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes on subjects, objects, the information system, or information system components;
(4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
(5) Changing the rules governing access control; and
(c) [Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| CCI-002187 |
The organization defines the security attributes to be used to enforce organization-defined information flow control policies. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes to be used to enforce organization-defined information flow control policies.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes to be used to enforce organization-defined information flow control policies.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Object Security Attributes |
AC-4 (1) |
AC-4(1).1 |
Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and source/destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. Security attributes can also include, for example, source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information. Related control: AC-16. |
The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-002188 |
The organization defines the information, source, and destination objects with which the organization-defined security attributes are to be associated. |
The organization conducting the inspection/assessment obtains and examines the documented information, source, and destination objects to ensure the organization being inspected/assessed defines the information, source and destination objects with which the organization-defined security attributes are to be associated.
DoD has determined the information, source and destination objects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information, source and destination objects with which the organization-defined security attributes are to be associated.
DoD has determined the information, source and destination objects are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Object Security Attributes |
AC-4 (1) |
AC-4(1).2 |
Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and source/destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. Security attributes can also include, for example, source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information. Related control: AC-16. |
The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-002189 |
The organization defines the information flow control policies to be enforced for flow control decisions. |
The organization conducting the inspection/assessment obtains and examines the documented information flow control policies to ensure the organization being inspected/assessed defines the information flow control policies to be enforced for flow control decisions.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information flow control policies to be enforced for flow control decisions.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Object Security Attributes |
AC-4 (1) |
AC-4(1).3 |
Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and source/destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. Security attributes can also include, for example, source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information. Related control: AC-16. |
The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-002190 |
The information system uses organization-defined security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to use the security attributes defined in AC-4 (1), CCI 287 associated with the information, source, and destination objects defined in AC-4 (1), CCI 2188 to enforce information flow control policies defined in AC-4 (1), CCI 2189 as a basis for flow control decisions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2190. |
The organization being inspected/assessed configures the information system to use the security attributes defined in AC-4 (1), CCI 287 associated with the information, source, and destination objects defined in AC-4 (1), CCI 2188 to enforce information flow control policies defined in AC-4 (1), CCI 2189 as a basis for flow control decisions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2190. |
Information Flow Enforcement | Object Security Attributes |
AC-4 (1) |
AC-4(1).4 |
Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and source/destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. Security attributes can also include, for example, source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information. Related control: AC-16. |
The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-002191 |
The organization defines the information flow control policies to be enforced by the information system using protected processing domains. |
The organization conducting the inspection/assessment obtains and examines the information flow control policies to ensure the organization being inspected/assessed defines the information flow control policies to be enforced by the information system using protected processing domains.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information flow control policies to be enforced by the information system using protected processing domains.
DoD has determined the information flow control policies are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Processing Domains |
AC-4 (2) |
AC-4(2).2 |
Within information systems, protected processing domains are processing spaces that have controlled interactions with other processing spaces, thus enabling control of information flows between these spaces and to/from data/information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, information system processes are assigned to domains; information is identified by types; and information flows are controlled based on allowed information accesses (determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains. |
The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
|
| CCI-002192 |
The organization defines the policies the information system is to enforce to achieve dynamic information flow control. |
The organization conducting the inspection/assessment obtains and examines the documented policies to ensure the organization being inspected/assessed defines the policies the information system is to enforce to achieve dynamic information flow control.
DoD has determined the policies are not appropriate to define at the Enterprise level |
The organization being inspected/assessed defines and documents the policies the information system is to enforce to achieve dynamic information flow control.
The policies shall address dynamic reconfiguration of data flow based upon predefined rules.
DoD has determined the policies are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Dynamic Information Flow Control |
AC-4 (3) |
AC-4(3).2 |
Organizational policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include, for example, changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events. Related control: SI-4. |
The information system enforces dynamic information flow control based on [Assignment: organization-defined policies]. |
| CCI-002193 |
The organization defines procedures or methods to be employed by the information system to prevent encrypted information from bypassing content-checking mechanisms, such as decrypting the information, blocking the flow of the encrypted information, and/or terminating communications sessions attempting to pass encrypted information. |
The organization conducting the inspection/assessment obtains and examines the documented mechanism to ensure the organization being inspected/assessed selects or defines the mechanism to prevent encrypted information from bypassing content-checking mechanisms.
DoD has determined the procedures or methods are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed selects or defines, and documents the mechanism to prevent encrypted information from bypassing content-checking mechanisms, such as decrypting the information, blocking the flow of the encrypted information, and/or terminating communications sessions attempting to pass encrypted information. Alternatively, the organization may define their own procedure or method.
DoD has determined the procedures or methods are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Content Check Encrypted Information |
AC-4 (4) |
AC-4(4).2 |
Related control: SI-4. |
The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. |
| CCI-002194 |
The organization defines the metadata the information system uses to enforce information flow control. |
The organization conducting the inspection/assessment obtains and examines the documented metadata to ensure the organization being inspected/assessed defines the metadata the information system uses to enforce information flow control.
DoD has determined the metadata is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the metadata the information system uses to enforce information flow control.
DoD has determined the metadata is not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Metadata |
AC-4 (6) |
AC-4(6).2 |
Metadata is information used to describe the characteristics of data. Metadata can include structural metadata describing data structures (e.g., data format, syntax, and semantics) or descriptive metadata describing data contents (e.g., age, location, telephone number). Enforcing allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata with regard to data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., ensuring sufficiently strong binding techniques with appropriate levels of assurance). Related controls: AC-16, SI-7. |
The information system enforces information flow control based on [Assignment: organization-defined metadata].
|
| CCI-002195 |
The organization defines the information flows against which the organization-defined security policy filters are to be enforced. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information flows as all information flows. |
DoD has defined the information flows as all information flows. |
Information Flow Enforcement | Security Policy Filters |
AC-4 (8) |
AC-4(8).3 |
Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). |
The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. |
| CCI-002196 |
The organization defines the information flows for which the information system will enforce the use of human reviews under organization-defined conditions. |
The organization conducting the inspection/assessment obtains and examines the documented information flows to ensure the organization being inspected/assessed defines the information flows for which the information system will enforce the use of human reviews under organization-defined conditions.
DoD has determined the information flows are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information flows for which the information system will enforce the use of human reviews under organization-defined conditions.
DoD has determined the information flows are not appropriate to define at the Enterprise level |
Information Flow Enforcement | Human Reviews |
AC-4 (9) |
AC-4(9).1 |
Organizations define security policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of, or as a complement to, automated security policy filtering. Human reviews may also be employed as deemed necessary by organizations. |
The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002197 |
The organization defines the conditions which will require the use of human reviews of organization-defined information flows. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines the conditions which will require the use of human reviews of organization-defined information flows.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions which will require the use of human reviews of organization-defined information flows.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Human Reviews |
AC-4 (9) |
AC-4(9).2 |
Organizations define security policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of, or as a complement to, automated security policy filtering. Human reviews may also be employed as deemed necessary by organizations. |
The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002198 |
The information system enforces the use of human reviews for organization-defined information flows under organization-defined conditions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce the use of human reviews for information flows defined in AC-4 (9), CCI 2196 under conditions defined in AC-4 (9), CCI 2197.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2198. |
The organization being inspected/assessed configures the information system to enforce the use of human reviews for information flows defined in AC-4 (9), CCI 2196 under conditions defined in AC-4 (9), CCI 2197.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2198. |
Information Flow Enforcement | Human Reviews |
AC-4 (9) |
AC-4(9).3 |
Organizations define security policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of, or as a complement to, automated security policy filtering. Human reviews may also be employed as deemed necessary by organizations. |
The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002199 |
The organization defines the conditions under which the information system provides the capability for privileged administrators to enable/disable organization-defined security policy filters. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines the conditions under which the information system provides the capability for privileged administrators to enable/disable organization-defined security policy filters.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions under which the information system provides the capability for privileged administrators to enable/disable organization-defined security policy filters.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Enable/Disable Security Policy Filters |
AC-4 (10) |
AC-4(10).3 |
For example, as allowed by the information system authorization, administrators can enable security policy filters to accommodate approved data types. |
The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions]. |
| CCI-002200 |
The organization defines the data type identifiers to be used to validate data being transferred between different security domains. |
The organization conducting the inspection/assessment obtains and examines the documented data type identifiers to ensure the organization being inspected/assessed defines the data type identifiers to be used to validate data being transferred between different security domains.
DoD has determined the data type identifiers are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the data type identifiers to be used to validate data being transferred between different security domains.
DoD has determined the data type identifiers are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Data Type Identifiers |
AC-4 (12) |
AC-4(12).1 |
Data type identifiers include, for example, filenames, file types, file signatures/tokens, and multiple internal file signatures/tokens. Information systems may allow transfer of data only if compliant with data type format specifications. |
The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. |
| CCI-002201 |
The information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to use data type identifiers defined in AC-4 (12), CCI 2200 to validate data essential for information flow decisions when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2201. |
The organization being inspected/assessed configures the information system to use data type identifiers defined in AC-4 (12), CCI 2200 to validate data essential for information flow decisions when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2201. |
Information Flow Enforcement | Data Type Identifiers |
AC-4 (12) |
AC-4(12).2 |
Data type identifiers include, for example, filenames, file types, file signatures/tokens, and multiple internal file signatures/tokens. Information systems may allow transfer of data only if compliant with data type format specifications. |
The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. |
| CCI-002202 |
The organization defines the policy-relevant subcomponents into which information being transferred between different security domains is to be decomposed for submission to policy enforcement mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented policy-relevant subcomponents to ensure the organization being inspected/assessed defines the policy relevant subcomponents into which information being transferred between different security domains is to be decomposed into for submission to policy enforcement mechanisms.
DoD has determined the policy-relevant subcomponents are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the policy relevant subcomponents into which information being transferred between different security domains is to be decomposed into for submission to policy enforcement mechanisms.
DoD has determined the policy-relevant subcomponents are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Decomposition Into Policy-Relevant Subcomponents |
AC-4 (13) |
AC-4(13).2 |
Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains. Parsing transfer files facilitates policy decisions on source, destination, certificates, classification, attachments, and other security-related component differentiators. |
The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. |
| CCI-002203 |
The organization defines the unsanctioned information the information system is to examine when transferring information between different security domains. |
The organization conducting the inspection/assessment obtains and examines the documented unsanctioned information to ensure the organization being inspected/assessed defines the unsanctioned information for which the information system is to examine when transferring information between different security domains.
DoD has determined the unsanctioned information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the unsanctioned information for which the information system is to examine when transferring information between different security domains.
DoD has determined the unsanctioned information is not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Detection Of Unsanctioned Information |
AC-4 (15) |
AC-4(15).3 |
Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Related control: SI-3. |
The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]. |
| CCI-002204 |
The organization defines a security policy which prohibits the transfer of unsanctioned information between different security domains. |
The organization conducting the inspection/assessment obtains and examines the documented security policy to ensure the organization being inspected/assessed defines security policy which prohibits the transfer of unsanctioned information between different security domains.
DoD has determined the security policy is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security policy which prohibits the transfer of unsanctioned information between different security domains.
DoD has determined the security policy is not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Detection Of Unsanctioned Information |
AC-4 (15) |
AC-4(15).4 |
Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Related control: SI-3. |
The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy]. |
| CCI-002205 |
The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to uniquely identify and authenticate source by organization, system, application, and/or individual for information transfer.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2205. |
The organization being inspected/assessed configures the information system to uniquely identify and authenticate source by organization, system, application, and/or individual for information transfer.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2205. |
Information Flow Enforcement | Domain Authentication |
AC-4 (17) |
AC-4(17).1 |
Attribution is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in information systems, allows the forensic reconstruction of events when required, and encourages policy compliance by attributing policy violations to specific organizations/individuals. Successful domain authentication requires that information system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Related controls: IA-2, IA-3, IA-4, IA-5. |
The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer. |
| CCI-002206 |
The information system uniquely authenticates source by organization, system, application, and/or individual for information transfer. |
|
|
|
|
|
|
|
| CCI-002207 |
The information system uniquely identifies and authenticates destination by organization, system, application, and/or individual for information transfer. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to uniquely identify and authenticate destination by organization, system, application, and/or individual for information transfer.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2207. |
The organization being inspected/assessed configures the information system to uniquely and authenticate identify destination by organization, system, application, and/or individual for information transfer.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2207. |
Information Flow Enforcement | Domain Authentication |
AC-4 (17) |
AC-4(17).2 |
Attribution is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in information systems, allows the forensic reconstruction of events when required, and encourages policy compliance by attributing policy violations to specific organizations/individuals. Successful domain authentication requires that information system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Related controls: IA-2, IA-3, IA-4, IA-5. |
The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer. |
| CCI-002208 |
The information system uniquely authenticates destination by organization, system, application, and/or individual for information transfer. |
|
|
|
|
|
|
|
| CCI-002209 |
The organization defines the techniques to be used to bind security attributes to information. |
The organization conducting the inspection/assessment obtains and examines the documented techniques to ensure the organization being inspected/assessed defines the techniques to be used to bind security attributes to information.
DoD has determined the techniques are not appropriate to define at the Enterprise level |
The organization being inspected/assessed defines and documents the techniques to be used to bind security attributes to information.
DoD has determined the techniques are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Security Attribute Binding |
AC-4 (18) |
AC-4(18).1 |
Binding techniques implemented by information systems affect the strength of security attribute binding to information. Binding strength and the assurance associated with binding techniques play an important part in the trust organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. Related controls: AC-16, SC-16. |
The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement. |
| CCI-002210 |
The information system binds security attributes to information using organization-defined binding techniques to facilitate information flow policy enforcement. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to bind security attributes to information using binding techniques defined in AC-4 (18), CCI 2209 to facilitate information flow policy enforcement.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2210. |
The organization being inspected/assessed configures the information system to bind security attributes to information using binding techniques defined in AC-4 (18), CCI 2209 to facilitate information flow policy enforcement.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2210. |
Information Flow Enforcement | Security Attribute Binding |
AC-4 (18) |
AC-4(18).2 |
Binding techniques implemented by information systems affect the strength of security attribute binding to information. Binding strength and the assurance associated with binding techniques play an important part in the trust organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. Related controls: AC-16, SC-16. |
The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement. |
| CCI-002211 |
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to apply the same security policy filtering to metadata as it applies to data payloads when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2211. |
The organization being inspected/assessed configures the information system to apply the same security policy filtering to metadata as it applies to data payloads when transferring information between different security domains.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2211. |
Information Flow Enforcement | Validation Of Metadata |
AC-4 (19) |
AC-4(19).1 |
This control enhancement requires the validation of metadata and the data to which the metadata applies. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions, considering metadata and the data to which the metadata applies as part of the payload. All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. |
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads. |
| CCI-002212 |
The organization defines the solutions in approved configurations to be employed to control the flow of organization-defined information across security domains. |
The organization conducting the inspection/assessment obtains and examines the documented solutions to ensure the organization being inspected/assessed defines the solutions in approved configurations to be employed to control the flow of information defined in AC-4 (20), CCI 2213 across security domains.
DoD has determined the solutions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the solutions in approved configurations to be employed to control the flow of information defined in AC-4 (20), CCI 2213 across security domains.
DoD has determined the solutions are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Approved Solutions |
AC-4 (20) |
AC-4(20).1 |
Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The Unified Cross Domain Management Office (UCDMO) provides a baseline listing of approved cross-domain solutions. |
The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. |
| CCI-002213 |
The organization defines the information to be subjected to flow control across security domains. |
The organization conducting the inspection/assessment obtains and examines the documented information to ensure the organization being inspected/assessed defines the information to be subjected to flow control across security domains.
DoD has determined the information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information to be subjected to flow control across security domains.
DoD has determined the information is not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Approved Solutions |
AC-4 (20) |
AC-4(20).2 |
Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The Unified Cross Domain Management Office (UCDMO) provides a baseline listing of approved cross-domain solutions. |
The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. |
| CCI-002214 |
The organization employs organization-defined solutions in approved configurations to control the flow of organization-defined information across security domains. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs solutions defined in AC-4 (20), CCI 2212 in approved configurations to control the flow of information defined in AC-4 (20), CCI 2213 across security domains. |
The organization being inspected/assessed documents and implements solutions defined in AC-4 (20), CCI 2212 in approved configurations to control the flow of information defined in AC-4 (20), CCI 2213 across security domains. |
Information Flow Enforcement | Approved Solutions |
AC-4 (20) |
AC-4(20).3 |
Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The Unified Cross Domain Management Office (UCDMO) provides a baseline listing of approved cross-domain solutions. |
The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. |
| CCI-002215 |
The organization defines the mechanisms and/or techniques to be used to logically or physically separate information flows. |
The organization conducting the inspection/assessment obtains and examines the documented mechanisms to ensure the organization being inspected/assessed defines the mechanisms and/or techniques to be used to logically or physically separate information flows.
DoD has determined the mechanisms are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the mechanisms and/or techniques to be used to logically or physically separate information flows.
DoD has determined the mechanisms are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Physical/Logical Separation Of Information Flows |
AC-4 (21) |
AC-4(21).1 |
Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. |
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
| CCI-002216 |
The organization defines the types of information required to accomplish logical or physical separation of information flows. |
The organization conducting the inspection/assessment obtains and examines the documented types of information to ensure the organization being inspected/assessed defines the types of information required to accomplish logical or physical separation of information flows.
DoD has determined the types of information are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the types of information required to accomplish logical or physical separation of information flows.
DoD has determined the types of information are not appropriate to define at the Enterprise level. |
Information Flow Enforcement | Physical/Logical Separation Of Information Flows |
AC-4 (21) |
AC-4(21).2 |
Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. |
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
| CCI-002217 |
The information system separates information flows logically or physically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations by types of information. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to separate information flows logically or physically using mechanisms and/or techniques defined in AC-4 (21), CCI 2215 to accomplish required separations by types of information defined in AC-4 (21), CCI 2216.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2217. |
The organization being inspected/assessed configures the information system to separate information flows logically or physically using mechanisms and/or techniques defined in AC-4 (21), CCI 2215 to accomplish required separations by types of information defined in AC-4 (21), CCI 2216.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2217. |
Information Flow Enforcement | Physical/Logical Separation Of Information Flows |
AC-4 (21) |
AC-4(21).3 |
Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. |
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
| CCI-002218 |
The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2218. |
The organization being inspected/assessed configures the information system to provide access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2218. |
Information Flow Enforcement | Access Only |
AC-4 (22) |
AC-4(22).1 |
The information system, for example, provides a desktop for users to access each connected security domain without providing any mechanisms to allow transfer of information between the different security domains. |
The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains. |
| CCI-002219 |
The organization defines the duties of individuals that are to be separated. |
The organization conducting the inspection/assessment obtains and examines the documented duties to ensure the organization being inspected/assessed defines the duties of individuals that are to be separated.
DoD has determined the duties are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the duties of individuals that are to be separated.
DoD has determined the duties are not appropriate to define at the Enterprise level. |
Separation Of Duties |
AC-5 |
AC-5.2 |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties. |
| CCI-002220 |
The organization defines information system access authorizations to support separation of duties. |
The organization conducting the inspection/assessment obtains and examines the documented information system access authorizations to ensure the organization being inspected/assessed defines information system access authorizations to support separation of duties. |
The organization being inspected/assessed defines and documents the information system access authorizations to support separation of duties. |
Separation Of Duties |
AC-5 |
AC-5.4 |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties. |
| CCI-002221 |
The organization defines the security-relevant information for which access must be explicitly authorized. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security-relevant information as all security-relevant information not publicly available. |
DoD has defined the security-relevant information as all security-relevant information not publicly available. |
Least Privilege | Authorize Access To Security Functions |
AC-6 (1) |
AC-6(1).2 |
Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19. |
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. |
| CCI-002222 |
The organization explicitly authorizes access to organization-defined security functions. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed explicitly authorizes access to all functions not publicly accessible.
DoD has defined the security functions as all functions not publicly accessible. |
The organization being inspected/assessed documents and implements a process to explicitly authorize access to all functions not publicly accessible.
Explicit authorization can be in the form of an acceptable use policy signed by the user at the time of access being granted.
DoD has defined the security functions as all functions not publicly accessible. |
Least Privilege | Authorize Access To Security Functions |
AC-6 (1) |
AC-6(1).3 |
Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19. |
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. |
| CCI-002223 |
The organization explicitly authorizes access to organization-defined security-relevant information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed explicitly authorizes access to all security-relevant information not publicly available.
DoD has defined the security-relevant information as all security-relevant information not publicly available. |
The organization being inspected/assessed documents and implements a process to explicitly authorize access to all security-relevant information not publicly available.
Explicit authorization can be in the form of an acceptable use policy signed by the user at the time of access being granted.
DoD has defined the security-relevant information as all security-relevant information not publicly available. |
Least Privilege | Authorize Access To Security Functions |
AC-6 (1) |
AC-6(1).4 |
Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19. |
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. |
| CCI-002224 |
The organization defines the compelling operational needs that must be met in order to be authorized network access to organization-defined privileged commands. |
The organization conducting the inspection/assessment obtains and examines the documented compelling operational needs to ensure the organization being inspected/assessed defines the compelling operational needs that must be met in order to be authorized network access to organization-defined privileged commands.
DoD has determined the compelling operational needs are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the compelling operational needs that must be met in order to be authorized network access to organization-defined privileged commands.
DoD has determined the compelling operational needs are not appropriate to define at the Enterprise level. |
Least Privilege | Network Access To Privileged Commands |
AC-6 (3) |
AC-6(3).4 |
Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. |
The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. |
| CCI-002225 |
The information system provides separate processing domains to enable finer-grained allocation of user privileges. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide separate processing domains to enable finer-grained allocation of user privileges.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2225. |
The organization being inspected/assessed configures the information system to provide separate processing domains to enable finer-grained allocation of user privileges.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2225. |
Least Privilege | Separate Processing Domains |
AC-6 (4) |
AC-6(4).1 |
Providing separate processing domains for finer-grained allocation of user privileges includes, for example: (i) using virtualization techniques to allow additional privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying actual machine; (ii) employing hardware and/or software domain separation mechanisms; and (iii) implementing separate physical domains. Related controls: AC-4, SC-3, SC-30, SC-32. |
The information system provides separate processing domains to enable finer-grained allocation of user privileges. |
| CCI-002226 |
The organization defines the personnel or roles to whom privileged accounts are to be restricted on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to whom privileged accounts are to be restricted on the information system.
DoD has determined the personnel and roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles to whom privileged accounts are to be restricted on the information system.
DoD has determined the personnel and roles are not appropriate to define at the Enterprise level. |
Least Privilege | Privileged Accounts |
AC-6 (5) |
AC-6(5).1 |
Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. Related control: CM-6. |
The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles]. |
| CCI-002227 |
The organization restricts privileged accounts on the information system to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines a sampling of information system access authorizations to ensure the organization being inspected/assessed implements a process to only provide privileged accounts on the information system to personnel or roles defined in AC-6 (5), CCI 2226. |
The organization being inspected/assessed implements a process to only provide privileged accounts on the information system to personnel or roles defined in AC-6 (5), CCI 2226. |
Least Privilege | Privileged Accounts |
AC-6 (5) |
AC-6(5).2 |
Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. Related control: CM-6. |
The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles]. |
| CCI-002228 |
The organization defines the frequency on which it conducts reviews of the privileges assigned to organization-defined roles or classes of users. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum, annually. |
DoD has defined the frequency as at a minimum, annually. |
Least Privilege | Review Of User Privileges |
AC-6 (7) |
AC-6(7).1 |
The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7. |
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
| CCI-002229 |
The organization defines the roles or classes of users that are to have their privileges reviewed on an organization-defined frequency. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles or classes of users as all users. |
DoD has defined the roles or classes of users as all users. |
Least Privilege | Review Of User Privileges |
AC-6 (7) |
AC-6(7).2 |
The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7. |
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
| CCI-002230 |
The organization reviews the privileges assigned to organization-defined roles or classes of users on an organization-defined frequency to validate the need for such privileges. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reviews to ensure the organization being inspected/assessed reviews the privileges assigned to all users at a minimum, annually. to validate the need for such privileges.
DoD has defined the roles or classes of users as all users.
DoD has defined the frequency as at a minimum, annually. |
The organization being inspected/assessed documents and implements a process to review the privileges assigned to all users at a minimum, annually to validate the need for such privileges.
The organization must maintain an audit trail of reviews.
DoD has defined the roles or classes of users as all users.
DoD has defined the frequency as at a minimum, annually. |
Least Privilege | Review Of User Privileges |
AC-6 (7) |
AC-6(7).3 |
The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7. |
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
| CCI-002231 |
The organization reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs full-device encryption or container encryption to protect the integrity of information on mobile devices defined in AC-19 (5), CCI 2329. |
The organization being inspected/assessed documents and implements a process for full-device encryption or container encryption to protect the integrity of information on mobile devices defined in AC-19 (5), CCI 2329. |
Access Control For Mobile Devices | Full Device/ Container-Based Encryption |
AC-19 (5) |
AC-19(5).1 |
Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28. |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. |
| CCI-002232 |
The organization defines software that is restricted from executing at a higher privilege than users executing the software. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the software as any software except software explicitly documented. |
DoD has defined the software as any software except software explicitly documented. |
Least Privilege | Privilege Levels For Code Execution |
AC-6 (8) |
AC-6(8).1 |
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. |
The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software. |
| CCI-002233 |
The information system prevents organization-defined software from executing at higher privilege levels than users executing the software. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent any software except software explicitly documented from executing at higher privilege levels than users executing the software.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2233.
DoD has defined the software as any software except software explicitly documented. |
The organization being inspected/assessed configures the information system to any software except software explicitly documented from executing at higher privilege levels than users executing the software.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2233.
DoD has defined the software as any software except software explicitly documented. |
Least Privilege | Privilege Levels For Code Execution |
AC-6 (8) |
AC-6(8).2 |
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. |
The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software. |
| CCI-002234 |
The information system audits the execution of privileged functions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to audit the execution of privileged functions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2234. |
The organization being inspected/assessed configures the information system to audit the execution of privileged functions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2234. |
Least Privilege | Auditing Use Of Privileged Functions |
AC-6 (9) |
AC-6(9).1 |
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). Related control: AU-2. |
The information system audits the execution of privileged functions. |
| CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2235. |
The organization being inspected/assessed configures the information system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2235. |
Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions |
AC-6 (10) |
AC-6(10).1 |
Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
| CCI-002236 |
The organization defines the time period the information system will automatically lock the account or node when the maximum number of unsuccessful logon attempts is exceeded. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as until released by an administrator. |
DoD has defined the time period as until released by an administrator. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.4 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-002237 |
The organization defines the delay algorithm to be employed by the information system to delay the next logon prompt when the maximum number of unsuccessful logon attempts is exceeded. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the delay algorithm as a minimum of 5 seconds. |
DoD has defined the delay algorithm as a minimum of 5 seconds. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.5 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to automatically lock the account or node until the locked account is released by an administrator and delays the next login prompt for a minimum of 5 seconds when the maximum number of unsuccessful attempts is exceeded.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2238.
DoD has defined the delay algorithm as a minimum of 5 seconds.
DoD has defined the time period as until released by an administrator. |
The organization being inspected/assessed configures the information system to automatically lock the account or node until the locked account is released by an administrator and delays the next login prompt for a minimum of 5 seconds when the maximum number of unsuccessful attempts is exceeded.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2238.
DoD has defined the delay algorithm as a minimum of 5 seconds.
DoD has defined the time period as until released by an administrator. |
Unsuccessful Login Attempts |
AC-7 |
AC-7.6 |
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. |
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| CCI-002239 |
The organization defines the mobile devices that are to be purged/wiped by the information system after an organization-defined number of consecutive, unsuccessful device logon attempts. |
The organization conducting the inspection/assessment obtains and examines the documented mobile devices to ensure the organization being inspected/assessed defines the mobile devices that are to be purged/wiped by the information system after an organization-defined number of consecutive, unsuccessful device logon attempts.
DoD has determined the mobile devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the mobile devices that are to be purged/wiped by the information system after an organization-defined number of consecutive, unsuccessful device logon attempts.
Mobile devices may be defined in terms of manufacturer and model name.
DoD has determined the mobile devices are not appropriate to define at the Enterprise level. |
Unsuccessful Login Attempts | Purge/ Wipe Mobile Devices |
AC-7 (2) |
AC-7(2).1 |
This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms. Related controls: AC-19, MP-5, MP-6, SC-13. |
The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
| CCI-002240 |
The organization defines the purging/wiping requirements/techniques to be used by the information system on organization-defined mobile devices after an organization-defined number of consecutive, unsuccessful device logon attempts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the purging/wiping requirements/techniques as requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization." |
DoD has defined the purging/wiping requirements/techniques as requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization." |
Unsuccessful Login Attempts | Purge/ Wipe Mobile Devices |
AC-7 (2) |
AC-7(2).2 |
This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms. Related controls: AC-19, MP-5, MP-6, SC-13. |
The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
| CCI-002241 |
The organization defines the number of consecutive, unsuccessful device logon attempts after which the information system will purge/wipe organization-defined mobile devices. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the number as 10. |
DoD has defined the number as 10. |
Unsuccessful Login Attempts | Purge/ Wipe Mobile Devices |
AC-7 (2) |
AC-7(2).3 |
This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms. Related controls: AC-19, MP-5, MP-6, SC-13. |
The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
| CCI-002242 |
The information system purges/wipes information from organization-defined mobile devices based on organization-defined purging/wiping requirements/techniques after an organization-defined number of consecutive, unsuccessful device logon attempts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to purge/wipe information from mobile devices defined in AC-7 (2), CCI 2239 based on requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization" after 10 consecutive, unsuccessful device logon attempts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2242.
DoD has defined the number as 10.
DoD has defined the purging/wiping requirements/techniques as requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization." |
The organization being inspected/assessed configures the information system to purge/wipe information from mobile devices defined in AC-7 (2), CCI 2239 based on requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization" after 10 consecutive, unsuccessful device logon attempts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the
STIG/SRG guidance that pertains to CCI 2242.
DoD has defined the number as 10.
DoD has defined the purging/wiping requirements/techniques as requirements and techniques identified in NIST SP 800-88, "Guidelines for Media Sanitization." |
Unsuccessful Login Attempts | Purge/ Wipe Mobile Devices |
AC-7 (2) |
AC-7(2).4 |
This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms. Related controls: AC-19, MP-5, MP-6, SC-13. |
The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
| CCI-002243 |
The organization-defined information system use notification message or banner is to state that users are accessing a U.S. Government information system. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
System Use Notification |
AC-8 |
AC-8.3 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002244 |
The organization-defined information system use notification message or banner is to state that information system usage may be monitored, recorded, and subject to audit. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
System Use Notification |
AC-8 |
AC-8.4 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002245 |
The organization-defined information system use notification message or banner is to state that unauthorized use of the information system is prohibited and subject to criminal and civil penalties. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
System Use Notification |
AC-8 |
AC-8.5 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002246 |
The organization-defined information system use notification message or banner is to state that use of the information system indicates consent to monitoring and recording. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013 meets the DoD requirements the information system use notification message or banner.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DTM 08-060. |
System Use Notification |
AC-8 |
AC-8.6 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002247 |
The organization defines the use notification message or banner the information system displays to users before granting access to the system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the use notification message or banner as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
DoD has defined the use notification message or banner as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
System Use Notification |
AC-8 |
AC-8.2 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002248 |
The organization defines the conditions of use which are to be displayed to users of the information system before granting further access. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the conditions as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
DoD has defined the conditions as the content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013. |
System Use Notification |
AC-8 |
AC-8.9 |
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. |
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system. |
| CCI-002249 |
The organization defines the information, in addition to the date and time of the last logon (access), to be included in the notification to the user upon successful logon (access). |
The organization conducting the inspection/assessment obtains and examines the documented information to ensure the organization being inspected/assessed defines the information, in addition to the date and time of the last logon (access) to be included in the notification to the user upon successful logon (access).
DoD has determined the information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information, in addition to the date and time of the last logon (access) to be included in the notification to the user upon successful logon (access).
DoD has determined the information is not appropriate to define at the Enterprise level. |
Previous Logon Notification | Additional Logon Information |
AC-9 (4) |
AC-9(4).1 |
This control enhancement permits organizations to specify additional information to be provided to users upon logon including, for example, the location of last logon. User location is defined as that information which can be determined by information systems, for example, IP addresses from which network logons occurred, device identifiers, or notifications of local logons. |
The information system notifies the user, upon successful logon (access), of the following additional information: [Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]. |
| CCI-002250 |
The information system notifies the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to notify the user, upon successful logon (access), of the information defined in AC-9 (4), CCI 2249 to be included in addition to the date and time of the last logon (access).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2250. |
The organization being inspected/assessed configures the information system to notify the user, upon successful logon (access), of the information defined in AC-9 (4), CCI 2249 to be included in addition to the date and time of the last logon (access).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2250.
|
Previous Logon Notification | Additional Logon Information |
AC-9 (4) |
AC-9(4).2 |
This control enhancement permits organizations to specify additional information to be provided to users upon logon including, for example, the location of last logon. User location is defined as that information which can be determined by information systems, for example, IP addresses from which network logons occurred, device identifiers, or notifications of local logons. |
The information system notifies the user, upon successful logon (access), of the following additional information: [Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]. |
| CCI-002251 |
The information system notifies the user, upon successful logon (access), of the date and time of the last logon (access). |
|
|
|
|
|
|
|
| CCI-002252 |
The organization defines the accounts and/or account types for which the information system will limit the number of concurrent sessions. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the account types and/or accounts as all account types and/or accounts. |
DoD has defined the account types and/or accounts as all account types and/or accounts. |
Concurrent Session Control |
AC-10 |
AC-10.3 |
Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. |
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
| CCI-002253 |
The organization defines the account types for which the information system will limit the number of concurrent sessions. |
|
|
|
|
|
|
|
| CCI-002255 |
The organization defines the user actions that can be performed on the information system without identification and authentication. |
|
|
|
|
|
|
|
| CCI-002256 |
The organization defines security attributes having organization-defined types of security attribute values which are associated with information in storage. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines security attributes having organization-defined types of security attribute values which are associated with information in storage.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes having organization-defined types of security attribute values which are associated with information in storage.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.1 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002257 |
The organization defines security attributes having organization-defined types of security attribute values which are associated with information in process. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines security attributes having organization-defined types of security attribute values process.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes having organization-defined types of security attribute values which are associated with information in process.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.2 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002258 |
The organization defines security attributes, having organization-defined types of security attribute values, which are associated with information in transmission. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines security attributes having organization-defined types of security attribute values which are associated with information in transmission.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes having organization-defined types of security attribute values which are associated with information in transmission.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.3 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002259 |
The organization defines security attribute values associated with organization-defined types of security attributes for information in storage. |
The organization conducting the inspection/assessment obtains and examines the documented security attribute values to ensure the organization being inspected/assessed defines security attribute values associated with organization-defined types of security attributes for information in storage.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes values associated with organization-defined types of security attributes for information in storage.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.4 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002260 |
The organization defines security attribute values associated with organization-defined types of security attributes for information in process. |
The organization conducting the inspection/assessment obtains and examines the documented security attribute values to ensure the organization being inspected/assessed defines security attribute values associated with organization-defined types of security attributes for information in process.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes values associated with organization-defined types of security attributes for information in process.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.5 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002261 |
The organization defines security attribute values associated with organization-defined types of security attributes for information in transmission. |
The organization conducting the inspection/assessment obtains and examines the documented security attribute values to ensure the organization being inspected/assessed defines security attribute values associated with organization-defined types of security attributes for information in transmission.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes values associated with organization-defined types of security attributes for information in transmission.
DoD has determined the security attribute values are not appropriate to define at the Enterprise level. |
Security Attributes |
AC-16 |
AC-16.6 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002262 |
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2256 having security attribute values defined in AC-16, CCI 2259 with information in storage.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2262. |
The organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2256 having security attribute values defined in AC-16, CCI 2259 with information in storage.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2262. |
Security Attributes |
AC-16 |
AC-16.7 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002263 |
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2257 having security attribute values defined in AC-16, CCI 2260 with information in process.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2263. |
The organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2257 having security attribute values defined in AC-16, CCI 2260 with information in process.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2263. |
Security Attributes |
AC-16 |
AC-16.8 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002264 |
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2258 having security attribute values defined in AC-16, CCI 2261 with information in transmission.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2264. |
The organization being inspected/assessed configures the information system to provide the means to associate types of security attributes in defined in AC-16, CCI 2258 having security attribute values defined in AC-16, CCI 2261 with information in transmission.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2264. |
Security Attributes |
AC-16 |
AC-16.9 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002265 |
The organization ensures that the security attribute associations are made with the information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that the security attribute associations are made with the information. |
The organization being inspected/assessed documents and implements a process to ensure that the security attribute associations are made with the information. |
Security Attributes |
AC-16 |
AC-16.10 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002266 |
The organization ensures that the security attribute associations are retained with the information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that the security attribute associations are retained with the information. |
The organization being inspected/assessed documents and implements a process to ensure that the security attribute associations are retained with the information. |
Security Attributes |
AC-16 |
AC-16.11 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002267 |
The organization defines the security attributes that are permitted for organization-defined information systems. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security attributes as the security attributes defined in AC-16, CCIs 2256-2258. |
DoD has defined the security attributes as the security attributes defined in AC-16, CCIs 2256-2258. |
Security Attributes |
AC-16 |
AC-16.12 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002268 |
The organization defines the information systems for which permitted organization-defined attributes are to be established. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information systems as all information systems. |
DoD has defined the information systems as all information systems. |
Security Attributes |
AC-16 |
AC-16.13 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002269 |
The organization establishes the permitted organization-defined security attributes for organization-defined information systems. |
The organization conducting the inspection/assessment obtains and examines the documented list of permitted security attributes to ensure the organization being inspected/assessed has established the list of permitted security attributes for all information systems as a subset of the security attributes defined in AC-16, CCI 2267.
DoD has defined the information systems as all information systems. |
The organization being inspected/assessed establishes and documents the permitted security attributes for all information systems as a subset of the security attributes defined in AC-16, CCI 2267.
DoD has defined the information systems as all information systems. |
Security Attributes |
AC-16 |
AC-16.14 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002270 |
The organization defines the values or ranges permitted for each of the established security attributes. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the values or ranges as the values defined in AC-16, CCIs 2259-2261. |
DoD has defined the values or ranges as the values defined in AC-16, CCIs 2259-2261. |
Security Attributes |
AC-16 |
AC-16.15 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002271 |
The organization determines the permitted organization-defined values or ranges for each of the established security attributes. |
The organization conducting the inspection/assessment obtains and examines the documented permitted values or ranges to ensure the organization being inspected/assessed has established the permitted values or ranges for each of the established security attributes as a subset of the values or ranges defined in AC-16, CCI 2270. |
The organization being inspected/assessed
establishes and documents the permitted values or ranges for each of the established security attributes as a subset of the values or ranges defined in AC-16, CCI 2270. |
Security Attributes |
AC-16 |
AC-16.16 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret. Related controls: AC-3, AC-4, AC-6, AC-21, AU-2, AU-10, SC-16, MP-3. |
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. |
| CCI-002272 |
The information system dynamically associates security attributes with organization-defined objects in accordance with organization-defined security policies as information is created and combined. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically associates security attributes with the objects defined in AC-16 (1), CCI 2275 in accordance with the security policies defined in AC-16 (1), CCI 2273 as information is created and combined.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2272. |
The organization being inspected/assessed configures the information system to dynamically associates security attributes with the objects defined in AC-16 (1), CCI 2275 in accordance with the security policies defined in AC-16 (1), CCI 2273 as information is created and combined.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2272. |
Security Attributes | Dynamic Attribute Association |
AC-16 (1) |
AC-16(1).2 |
Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. |
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined. |
| CCI-002273 |
The organization defines the security policies the information system is to adhere to when dynamically associating security attributes with organization-defined subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented security policies to ensure the organization being inspected/assessed defines the security policies the information system is to adhere to when dynamically associating security attributes with organization-defined subjects and objects.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security policies the information system is to adhere to when dynamically associating security attributes with organization-defined subjects and objects.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
Security Attributes | Dynamic Attribute Association |
AC-16 (1) |
AC-16(1).3 |
Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. |
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined. |
| CCI-002274 |
The organization defines the subjects with which the information system is to dynamically associate security attributes as information is created and combined. |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the subjects the information system is to dynamically associate security attributes to as information is created and combined.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subjects the information system is to dynamically associate security attributes to as information is created and combined.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
Security Attributes | Dynamic Attribute Association |
AC-16 (1) |
AC-16(1).4 |
Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. |
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined. |
| CCI-002275 |
The organization defines the objects with which the information system is to dynamically associate security attributes as information is created and combined. |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the objects the information system is to dynamically associate security attributes to as information is created and combined.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the objects the information system is to dynamically associate security attributes to as information is created and combined.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
Security Attributes | Dynamic Attribute Association |
AC-16 (1) |
AC-16(1).5 |
Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Related control: AC-4. |
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined. |
| CCI-002276 |
The organization identifies the individuals authorized to define the value of associated security attributes. |
The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies the individuals authorized to define the value of associated security attributes. |
The organization being inspected/assessed identifies and documents the individuals authorized to define the value of associated security attributes. |
Security Attributes | Attribute Value Changes By Authorized Individuals |
AC-16 (2) |
AC-16(2).3 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals. Related controls: AC-6, AU-2. |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes. |
| CCI-002277 |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2277. |
The organization being inspected/assessed configures the information system to provide authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2277. |
Security Attributes | Attribute Value Changes By Authorized Individuals |
AC-16 (2) |
AC-16(2).4 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals. Related controls: AC-6, AU-2. |
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes. |
| CCI-002278 |
The organization defines security attributes for which the association and integrity to organization-defined subjects and objects is maintained by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes for which the association and integrity to organization-defined subjects and objects is maintained by the information system.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
he organization being inspected/assessed defines and documents the security attributes for which the association and integrity to organization-defined subjects and objects is maintained by the information system
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).1 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002279 |
The organization defines subjects for which the association and integrity of organization-defined security attributes is maintained by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure the organization being inspected/assessed defines the subjects for which the association and integrity of organization-defined security attributes is maintained by the information system.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subjects for which the association and integrity of organization-defined security attributes is maintained by the information system.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).2 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002280 |
The organization defines objects for which the association and integrity of organization-defined security attributes is maintained by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure the organization being inspected/assessed defines the objects for which the association and integrity of organization-defined security attributes is maintained by the information system.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the objects for which the association and integrity of organization-defined security attributes is maintained by the information system.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).3 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002281 |
The information system maintains the association of organization-defined security attributes to organization-defined subjects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain the association of the security attributes defined in AC-16 (3), CCI 2278 to subjects defined in AC-16 (3), CCI 2280
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2281. |
The organization being inspected/assessed configures the information system to maintain the association of the security attributes defined in AC-16 (3), CCI 2278 to subjects defined in AC-16 (3), CCI 2279.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2281. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).4 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002282 |
The information system maintains the association of organization-defined security attributes to organization-defined objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain the association of the security attributes defined in AC-16 (3), CCI 2278 to objects defined in AC-16 (3), CCI 2280
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2282. |
The organization being inspected/assessed configures the information system to maintain the association of the security attributes defined in AC-16 (3), CCI 2278 to objects defined in AC-16 (3), CCI 2280.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2282. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).5 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002283 |
The information system maintains the integrity of organization-defined security attributes associated with organization-defined subjects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to maintain the integrity of the security attributes defined in AC-16 (3), CCI 2278 to subjects defined in AC-16 (3), CCI 2279.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2283. |
The organization being inspected/assessed configures the information system to maintain the integrity of the security attributes defined in AC-16 (3), CCI 2278 to subjects defined in AC-16 (3), CCI 2279.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2283. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).6 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002284 |
The information system maintains the integrity of organization-defined security attributes associated with organization-defined objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information to maintain the integrity of the security attributes defined in AC-16 (3), CCI 2278 to objects defined in AC-16 (3), CCI 2280.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2284. |
The organization being inspected/assessed configures the information system to maintain the integrity of the security attributes defined in AC-16 (3), CCI 2278 to objects defined in AC-16 (3), CCI 2280.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2284. |
Security Attributes | Maintenance Of Attribute Associations By Information System |
AC-16 (3) |
AC-16(3).7 |
Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions. |
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects]. |
| CCI-002285 |
The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined subjects. |
The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies individuals (or processes acting on behalf of individuals) authorized to associate security attributes defined in AC-16 (4), CCI 2288 with subjects defined in AC-16 (4), CCI 2286. |
The organization being inspected/assessed identifies and documents individuals (or processes acting on behalf of individuals) authorized to associate security attributes defined in AC-16 (4), CCI 2288 with subjects defined in AC-16 (4), CCI 2286. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).2 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002286 |
The organization defines the subjects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals). |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the subjects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
DoD has defined the subjects as not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subjects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
DoD has defined the subjects as not appropriate to define at the Enterprise level. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).3 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002287 |
The organization defines the objects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals). |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the objects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
DoD has defined the objects as not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the objects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
DoD has defined the objects as not appropriate to define at the Enterprise level. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).4 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002288 |
The organization defines the security attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects.
DoD has defined the security attributes as not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects.
DoD has defined the security attributes as not appropriate to define at the Enterprise level. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).5 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002289 |
The information system supports the association of organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to support the association of security attributes defined in AC-16 (4), CCI 2288 with the subjects defined in AC-16 (4), CCI 2286 by authorized individuals (or processes acting on behalf of individuals).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2289. |
The organization being inspected/assessed configures the information system to support the association of security attributes defined in AC-16 (4), CCI 2288 with the subjects defined in AC-16 (4), CCI 2286 by authorized individuals (or processes acting on behalf of individuals).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2289. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).6 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002290 |
The information system supports the association of organization-defined security attributes with organization-defined objects by authorized individuals (or processes acting on behalf of individuals). |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to support the association of security attributes defined in AC-16 (4), CCI 2288 with the objects defined in AC-16 (4), CCI 2287 by authorized individuals (or processes acting on behalf of individuals).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2290. |
The organization being inspected/assessed configures the information system to support the association of security attributes defined in AC-16 (4), CCI 2288 with the objects defined in AC-16 (4), CCI 2287 by authorized individuals (or processes acting on behalf of individuals).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2290. |
Security Attributes | Association Of Attributes By Authorized Individuals |
AC-16 (4) |
AC-16(4).7 |
The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events. |
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| CCI-002291 |
The organization defines the security policies to be followed by personnel when associating organization-defined security attributes with organization-defined subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented security policies to ensure the organization being inspected/assessed defines the security policies to be followed by personnel when associating organization-defined security attributes with organization-defined subjects and objects.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security policies to be followed by personnel when associating organization-defined security attributes with organization-defined subjects and objects.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).1 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002292 |
The organization defines the security attributes which are to be associated with organization-defined subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes which are to be associated with organization-defined subjects and objects.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes which are to be associated with organization-defined subjects and objects.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).2 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002293 |
The organization defines the subjects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented subjects to ensure the organization being inspected/assessed defines the subjects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subjects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.
DoD has determined the subjects are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).3 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002294 |
The organization defines the objects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented objects to ensure the organization being inspected/assessed defines the objects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the objects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.
DoD has determined the objects are not appropriate to define at the Enterprise level. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).4 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002295 |
The organization allows personnel to associate organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires personnel to associate security attributes defined in AC-16 (6), CCI 2292 with subjects defined in AC-16 (6), CCI 2293 in accordance with security policies defined in AC-16 (6), CCI 2291. |
The organization being inspected/assessed
documents and implements a process requiring personnel to associate security attributes defined in AC-16 (6), CCI 2292 with subjects defined in AC-16 (6), CCI 2293 in accordance with security policies defined in AC-16 (6), CCI 2291. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).5 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002296 |
The organization allows personnel to associate organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires personnel to associate security attributes defined in AC-16 (6), CCI 2292 with objects defined in AC-16 (6), CCI 2294 in accordance with security policies defined in AC-16 (6), CCI 2291. |
The organization being inspected/assessed
documents and implements a process requiring personnel to associate security attributes defined in AC-16 (6), CCI 2292 with objects defined in AC-16 (6), CCI 2294 in accordance with security policies defined in AC-16 (6), CCI 2291. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).6 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002297 |
The organization allows personnel to maintain the association of organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires personnel to maintain the association of security attributes defined in AC-16 (6), CCI 2292 with subjects defined in AC-16 (6), CCI 2293 in accordance with security policies defined in AC-16 (6), CCI 2291. |
The organization being inspected/assessed
documents and implements a process requiring personnel to maintain the association of security attributes defined in AC-16 (6), CCI 2292 with subjects defined in AC-16 (6), CCI 2293 in accordance with security policies defined in AC-16 (6), CCI 2291. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).7 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002298 |
The organization allows personnel to maintain the association of organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires personnel to maintain the association of security attributes defined in AC-16 (6), CCI 2292 with objects defined in AC-16 (6), CCI 2294 in accordance with security policies defined in AC-16 (6), CCI 2291. |
The organization being inspected/assessed
documents and implements a process requiring personnel to maintain the association of security attributes defined in AC-16 (6), CCI 2292 with objects defined in AC-16 (6), CCI 2294 in accordance with security policies defined in AC-16 (6), CCI 2291. |
Security Attributes | Maintenance Of Attribute Association By Organization |
AC-16 (6) |
AC-16(6).8 |
This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects. |
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies]. |
| CCI-002299 |
The organization provides a consistent interpretation of security attributes transmitted between distributed information system components. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides a consistent interpretation of security attributes transmitted between distributed information system components. |
The organization being inspected/assessed documents and implements a process to provide a consistent interpretation of security attributes transmitted between distributed information system components. |
Security Attributes | Consistent Attribute Interpretation |
AC-16 (7) |
AC-16(7).1 |
In order to enforce security policies across multiple components in distributed information systems (e.g., distributed database management systems, cloud-based systems, and service-oriented architectures), organizations provide a consistent interpretation of security attributes that are used in access enforcement and flow enforcement decisions. Organizations establish agreements and processes to ensure that all distributed information system components implement security attributes with consistent interpretations in automated access/flow enforcement actions. |
The organization provides a consistent interpretation of security attributes transmitted between distributed information system components. |
| CCI-002300 |
The organization defines the techniques or technologies to be implemented when associating security attributes with information. |
The organization conducting the inspection/assessment obtains and examines the documented techniques and technologies to ensure the organization being inspected/assessed defines the techniques or technologies to be implemented when associating security attributes with information.
DoD has determined the technique or technologies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the techniques or technologies to be implemented when associating security attributes with information.
DoD has determined the technique or technologies are not appropriate to define at the Enterprise level. |
Security Attributes | Association Techniques/ Technologies |
AC-16 (8) |
AC-16(8).1 |
The association (i.e., binding) of security attributes to information within information systems is of significant importance with regard to conducting automated access enforcement and flow enforcement actions. The association of such security attributes can be accomplished with technologies/techniques providing different levels of assurance. For example, information systems can cryptographically bind security attributes to information using digital signatures with the supporting cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust). |
The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information. |
| CCI-002301 |
The organization defines the level of assurance to be provided when implementing organization-defined techniques or technologies in associating security attributes to information. |
The organization conducting the inspection/assessment obtains and examines the documented level of assurance to ensure the organization being inspected/assessed defines the level of assurance to be provided when implementing organization-defined techniques or technologies in associating security attributes to information.
DoD has determined the level of assurance is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the level of assurance to be provided when implementing organization-defined techniques or technologies in associating security attributes to information.
DoD has determined the level of assurance is not appropriate to define at the Enterprise level. |
Security Attributes | Association Techniques/ Technologies |
AC-16 (8) |
AC-16(8).2 |
The association (i.e., binding) of security attributes to information within information systems is of significant importance with regard to conducting automated access enforcement and flow enforcement actions. The association of such security attributes can be accomplished with technologies/techniques providing different levels of assurance. For example, information systems can cryptographically bind security attributes to information using digital signatures with the supporting cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust). |
The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information. |
| CCI-002302 |
The information system implements organization-defined techniques or technologies with an organization-defined level of assurance in associating security attributes to information. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement the techniques or technologies defined in AC-16 (8), CCI 2300 with the level of assurance defined in AC-16 (8), CCI 2301 in associating security attributes to information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2302. |
The organization being inspected/assessed configures the information system to implement the techniques or technologies defined in AC-16 (8), CCI 2300 with the level of assurance defined in AC-16 (8), CCI 2301 in associating security attributes to information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2302. |
Security Attributes | Association Techniques/ Technologies |
AC-16 (8) |
AC-16(8).3 |
The association (i.e., binding) of security attributes to information within information systems is of significant importance with regard to conducting automated access enforcement and flow enforcement actions. The association of such security attributes can be accomplished with technologies/techniques providing different levels of assurance. For example, information systems can cryptographically bind security attributes to information using digital signatures with the supporting cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust). |
The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information. |
| CCI-002303 |
The organization defines the techniques or procedures to be employed to validate re-grading mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented techniques or procedures to ensure the organization being inspected/assessed defines the techniques or procedures to be employed to validate re-grading mechanisms.
DoD has determined the techniques or procedures are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the techniques or procedures to be employed to validate re-grading mechanisms.
DoD has determined the techniques or procedures are not appropriate to define at the Enterprise level. |
Security Attributes | Attribute Reassignment |
AC-16 (9) |
AC-16(9).1 |
Validated re-grading mechanisms are employed by organizations to provide the requisite levels of assurance for security attribute reassignment activities. The validation is facilitated by ensuring that re-grading mechanisms are single purpose and of limited function. Since security attribute reassignments can affect security policy enforcement actions (e.g., access/flow enforcement decisions), using trustworthy re-grading mechanisms is necessary to ensure that such mechanisms perform in a consistent/correct mode of operation. |
The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures]. |
| CCI-002304 |
The organization ensures security attributes associated with information are reassigned only via re-grading mechanisms validated using organization-defined techniques or procedures. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures security attributes associated with information are reassigned only via re-grading mechanisms validated using techniques or procedures defined in AC-16 (9), CCI 2303. |
The organization being inspected/assessed documents and implements a process to ensure security attributes associated with information are reassigned only via re-grading mechanisms validated using techniques or procedures defined in AC-16 (9), CCI 2303. |
Security Attributes | Attribute Reassignment |
AC-16 (9) |
AC-16(9).2 |
Validated re-grading mechanisms are employed by organizations to provide the requisite levels of assurance for security attribute reassignment activities. The validation is facilitated by ensuring that re-grading mechanisms are single purpose and of limited function. Since security attribute reassignments can affect security policy enforcement actions (e.g., access/flow enforcement decisions), using trustworthy re-grading mechanisms is necessary to ensure that such mechanisms perform in a consistent/correct mode of operation. |
The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures]. |
| CCI-002305 |
The organization identifies individuals authorized to define or change the type and value of security attributes available for association with subjects and objects. |
The organization conducting the inspection/assessment obtains and examines the documented individuals to ensure the organization being inspected/assessed identifies individuals authorized to define or change the type and value of security attributes available for association with subjects and objects. |
The organization being inspected/assessed identifies and documents individuals authorized to define or change the type and value of security attributes available for association with subjects and objects. |
Security Attributes | Attribute Configuration By Authorized Individuals |
AC-16 (10) |
AC-16(10).1 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals only. |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| CCI-002306 |
The information system provides authorized individuals the capability to define or change the type of security attributes available for association with subjects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the type of security attributes available for association with subjects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2306. |
The organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the type of security attributes available for association with subjects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2306. |
Security Attributes | Attribute Configuration By Authorized Individuals |
AC-16 (10) |
AC-16(10).2 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals only. |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| CCI-002307 |
The information system provides authorized individuals the capability to define or change the value of security attributes available for association with subjects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the value of security attributes available for association with subjects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2307. |
The organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the value of security attributes available for association with subjects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2307. |
Security Attributes | Attribute Configuration By Authorized Individuals |
AC-16 (10) |
AC-16(10).3 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals only. |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| CCI-002308 |
The information system provides authorized individuals the capability to define or change the type of security attributes available for association with objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the type of security attributes available for association with objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2308. |
The organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the type of security attributes available for association with objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2308. |
Security Attributes | Attribute Configuration By Authorized Individuals |
AC-16 (10) |
AC-16(10).4 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals only. |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| CCI-002309 |
The information system provides authorized individuals the capability to define or change the value of security attributes available for association with objects. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the value of security attributes available for association with objects.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2309. |
The organization being inspected/assessed configures the information system to provide authorized individuals the capability to define or change the value of security attributes available for association with objects.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2309. |
Security Attributes | Attribute Configuration By Authorized Individuals |
AC-16 (10) |
AC-16(10).5 |
The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals only. |
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| CCI-002310 |
The organization establishes and documents usage restrictions for each type of remote access allowed. |
The organization conducting the inspection/assessment obtains and examines the documented usage restrictions to ensure the organization being inspected/assessed establishes and documents usage restrictions for each type of remote access allowed. |
The organization being inspected/assessed establishes and documents usage restrictions for each type of remote access allowed. |
Remote Access |
AC-17 |
AC-17.2 |
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections. |
| CCI-002311 |
The organization establishes and documents configuration/connection requirements for each type of remote access allowed. |
The organization conducting the inspection/assessment obtains and examines the documented requirements to ensure the organization being inspected/assessed establishes and documents configuration/connection requirements for each type of remote access allowed. |
The organization being inspected/assessed establishes and documents configuration/connection requirements for each type of remote access allowed. |
Remote Access |
AC-17 |
AC-17.3 |
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections. |
| CCI-002312 |
The organization establishes and documents implementation guidance for each type of remote access allowed. |
The organization conducting the inspection/assessment obtains and examines the documented implementation guidance to ensure the organization being inspected/assessed establishes and documents implementation guidance for each type of remote access allowed. |
The organization being inspected/assessed establishes and documents implementation guidance for each type of remote access allowed. |
Remote Access |
AC-17 |
AC-17.4 |
Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. |
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections. |
| CCI-002313 |
The information system controls remote access methods. |
|
|
|
|
|
|
|
| CCI-002314 |
The information system controls remote access methods. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to control remote access methods.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2314. |
The organization being inspected/assessed configures the information system to control remote access methods.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2314. |
Remote Access | Automated Monitoring / Control |
AC-17 (1) |
AC-17(1).2 |
Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. |
The information system monitors and controls remote access methods. |
| CCI-002315 |
The organization defines the number of managed network access control points through which the information system routes all remote access. |
The organization conducting the inspection/assessment obtains and examines the documented number to ensure the organization being inspected/assessed defines the number of managed network access control points through which the information system routes all remote access.
DoD has determined the number is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the number of managed network access control points through which the information system routes all remote access.
DoD has determined the number is not appropriate to define at the Enterprise level. |
Remote Access | Managed Access Control Points |
AC-17 (3) |
AC-17(3).3 |
Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. |
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. |
| CCI-002316 |
The organization authorizes access to security-relevant information via remote access only for organization-defined needs. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes the access to security-relevant information via remote access only for needs defined in AC-17 (4), CCI 2318. |
The organization being inspected/assessed authorizes the access to security-relevant information via remote access only for needs defined in AC-17 (4), CCI 2318.
The organization being inspected/assessed maintains an audit trail of authorizations. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).2 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-002317 |
The organization defines the operational needs for when the execution of privileged commands via remote access is to be authorized. |
The organization conducting the inspection/assessment obtains and examines the documented operational needs to ensure the organization being inspected/assessed defines the operational needs when the execution of privileged commands via remote access is to be authorized.
DoD has determined the operational needs are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the operational needs when the execution of privileged commands via remote access is to be authorized.
DoD has determined the operational needs are not appropriate to define at the Enterprise level. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).3 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-002318 |
The organization defines the operational needs for when access to security-relevant information via remote access is to be authorized. |
The organization conducting the inspection/assessment obtains and examines the documented operational needs to ensure the organization being inspected/assessed defines the operational needs when access to security-relevant information via remote access is to be authorized.
DoD has determined the operational needs are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the operational needs when access to security-relevant information via remote access is to be authorized.
DoD has determined the operational needs are not appropriate to define at the Enterprise level. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).4 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-002319 |
The organization documents in the security plan for the information system the rationale for authorization of the execution of privilege commands via remote access. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed documents in the security plan for the information system the rationale for authorization of the execution of privilege commands via remote access. |
The organization being inspected/assessed documents in the security plan for the information system the rationale for authorization of the execution of privilege commands via remote access. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).5 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-002320 |
The organization documents in the security plan for the information system the rationale for authorization of access to security-relevant information via remote access. |
The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed documents in the security plan for the information system the rationale for authorization of access to security-relevant information via remote access. |
The organization being inspected/assessed documents in the security plan for the information system the rationale for authorization of access to security-relevant information via remote access. |
Remote Access | Privileged Commands/ Access |
AC-17 (4) |
AC-17(4).6 |
Related control: AC-6. |
The organization:
(a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system. |
| CCI-002321 |
The organization defines the time period within which it disconnects or disables remote access to the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as immediately. |
DoD has defined the time period as immediately. |
Remote Access | Disconnect/ Disable Access |
AC-17 (9) |
AC-17(9).1 |
This control enhancement requires organizations to have the capability to rapidly disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions/business functions and the need to eliminate immediate or future remote access to organizational information systems. |
The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]. |
| CCI-002322 |
The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability to expeditiously disconnect or disable remote access to the information system immediately.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2322.
DoD has defined the time period as immediately. |
The organization being inspected/assessed configures the information system to provide the capability to expeditiously disconnect or disable remote access to the information system immediately.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2322.
DoD has defined the time period as immediately. |
Remote Access | Disconnect/ Disable Access |
AC-17 (9) |
AC-17(9).2 |
This control enhancement requires organizations to have the capability to rapidly disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions/business functions and the need to eliminate immediate or future remote access to organizational information systems. |
The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]. |
| CCI-002323 |
The organization establishes configuration/connection requirements for wireless access. |
The organization conducting the inspection/assessment obtains and examines the documented configuration/connection requirements to ensure the organization being inspected/assessed establishes configuration/connection requirements for wireless access. |
The organization being inspected/assessed establishes and documents configuration/connection requirements for wireless access. |
Wireless Access |
AC-18 |
AC-18.3 |
Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. |
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections. |
| CCI-002324 |
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities. |
The organization being inspected/assessed identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.
The organization must maintain an audit trail of authorizations. |
Wireless Access | Restrict Configurations By Users |
AC-18 (4) |
AC-18(4).1 |
Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational information systems. Related controls: AC-3, SC-15. |
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities. |
| CCI-002325 |
The organization establishes configuration requirements for organization-controlled mobile devices. |
DoD is automatically compliant with this CCI because existing STIGs establish configuration requirements for approved mobile devices. |
DoD is automatically compliant with this CCI because existing STIGs establish configuration requirements for approved mobile devices. |
Access Control For Mobile Devices |
AC-19 |
AC-19.3 |
A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. |
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems. |
| CCI-002326 |
The organization establishes connection requirements for organization-controlled mobile devices. |
The organization conducting the inspection/assessment obtains and examines the documented connection requirements to ensure the organization being inspected/assessed establishes connection requirements for organization controlled mobile devices. |
The organization being inspected/assessed establishes and documents connection requirements for organization controlled mobile devices. |
Access Control For Mobile Devices |
AC-19 |
AC-19.4 |
A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. |
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems. |
| CCI-002327 |
The organization defines the security policies which restrict the connection of classified mobile devices to classified information systems. |
The organization conducting the inspection/assessment obtains and examines the documented security policies to ensure the organization being inspected/assessed defines the security policies which restrict the connection of classified mobile devices to classified information systems.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security policies which restrict the connection of classified mobile devices to classified information systems.
DoD has determined the security policies are not appropriate to define at the Enterprise level. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).8 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-002328 |
The organization restricts the connection of classified mobile devices to classified information systems in accordance with organization-defined security policies. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed restricts the connection of classified mobile devices to classified information systems in accordance with the security policies defined in AC-19 (4), CCI 2327. |
The organization being inspected/assessed documents and implements a process to restrict the connection of classified mobile devices to classified information systems in accordance with the security policies defined in AC-19 (4), CCI 2327. |
Access Control For Mobile Devices | Restrictions For Classified Information |
AC-19 (4) |
AC-19(4).9 |
Related controls: CA-6, IR-4. |
The organization:
(a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified information systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies]. |
| CCI-002329 |
The organization defines the mobile devices that are to employ full-device or container encryption to protect the confidentiality and integrity of the information on the device. |
The organization conducting the inspection/assessment obtains and examines the documented mobile devices to ensure the organization being inspected/assessed defines the mobile devices that are to employ full-device or container encryption to protect the confidentiality and integrity of the information on device.
DoD has determined the mobile devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the mobile devices that are to employ full-device or container encryption to protect the confidentiality and integrity of the information on device.
DoD has determined the mobile devices are not appropriate to define at the Enterprise level. |
Access Control For Mobile Devices | Full Device/ Container-Based Encryption |
AC-19 (5) |
AC-19(5).2 |
Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28. |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. |
| CCI-002330 |
The organization employs full-device encryption or container encryption to protect the confidentiality of information on organization-defined mobile devices. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs full-device encryption or container encryption to protect the confidentiality of information on mobile devices defined in AC-19 (5), CCI 2329. |
The organization being inspected/assessed documents and implements a process for full-device encryption or container encryption to protect the confidentiality of information on mobile devices defined in AC-19 (5), CCI 2329.
|
Access Control For Mobile Devices | Full Device/ Container-Based Encryption |
AC-19 (5) |
AC-19(5).3 |
Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28. |
The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. |
| CCI-002331 |
The organization employs full-device encryption or container encryption to protect the integrity of information on organization-defined mobile devices. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
The organization being inspected/assessed documents and implements a process to reassign or remove privileges, if necessary, to correctly reflect organizational mission/business needs. |
Least Privilege | Review Of User Privileges |
AC-6 (7) |
AC-6(7).4 |
The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions. Related control: CA-7. |
The organization:
(a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
| CCI-002332 |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store, or transmit organization-controlled information using the external information systems. |
The organization conducting the inspection/assessment obtains and examines the documented terms and conditions to ensure the organization being inspected/assessed establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store or transmit organization-controlled information using the external information systems. |
The organization being inspected/assessed establishes and documents the terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store or transmit organization-controlled information using the external information systems. |
Use Of External Information Systems |
AC-20 |
AC-20.2 |
External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems.
For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.
This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. Related controls: AC-3, AC-17, AC-19, CA-3, PL-4, SA-9. |
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from external information systems; and
b. Process, store, or transmit organization-controlled information using external information systems. |
| CCI-002333 |
The organization permits authorized individuals to use an external information system to access the information system only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed permits authorized individuals to use an external information system to access the information system only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
The organization being inspected/assessed documents and implements a process to permit authorized individuals to use an external information system to access the information system only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
Use Of External Information Systems | Limits On Authorized Use |
AC-20 (1) |
AC-20(1).1 |
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| CCI-002334 |
The organization permits authorized individuals to use an external information system to process organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed permits authorized individuals to use an external information system to process organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
The organization being inspected/assessed documents and implements a process to permit authorized individuals to use an external information system to process organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
Use Of External Information Systems | Limits On Authorized Use |
AC-20 (1) |
AC-20(1).2 |
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| CCI-002335 |
The organization permits authorized individuals to use an external information system to store organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed permits authorized individuals to use an external information system to store organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
The organization being inspected/assessed documents and implements a process to permit authorized individuals to use an external information system to store organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
Use Of External Information Systems | Limits On Authorized Use |
AC-20 (1) |
AC-20(1).3 |
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| CCI-002336 |
The organization permits authorized individuals to use an external information system to transmit organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed permits authorized individuals to use an external information system to transmit organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
The organization being inspected/assessed documents and implements a process to permit authorized individuals to use an external information system to transmit organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan. |
Use Of External Information Systems | Limits On Authorized Use |
AC-20 (1) |
AC-20(1).4 |
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| CCI-002337 |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
The organization being inspected/assessed documents and implements a process to permit authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
Use Of External Information Systems | Limits On Authorized Use |
AC-20 (1) |
AC-20(1).5 |
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. |
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| CCI-002338 |
The organization restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information. |
The organization being inspected/assessed documents and implements a process to restrict or prohibit the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information. |
Use Of External Information Systems | Non-Organizationally Owned Systems / Components / Devices |
AC-20 (3) |
AC-20(3).1 |
Non-organizationally owned devices include devices owned by other organizations (e.g., federal/state agencies, contractors) and personally owned devices. There are risks to using non-organizationally owned devices. In some cases, the risk is sufficiently high as to prohibit such use. In other cases, it may be such that the use of non-organizationally owned devices is allowed but restricted in some way. Restrictions include, for example: (i) requiring the implementation of organization-approved security controls prior to authorizing such connections; (ii) limiting access to certain types of information, services, or applications; (iii) using virtualization techniques to limit processing and storage activities to servers or other system components provisioned by the organization; and (iv) agreeing to terms and conditions for usage. For personally owned devices, organizations consult with the Office of the General Counsel regarding legal issues associated with using such devices in operational environments, including, for example, requirements for conducting forensic analyses during investigations after an incident. |
The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information. |
| CCI-002339 |
The organization defines the network accessible storage devices that are to be prohibited from being used in external information systems. |
The organization conducting the inspection/assessment obtains and examines the documented network accessible storage devices to ensure the organization being inspected/assessed defines the network accessible storage devices that are to be prohibited from being used in external information systems.
DoD has determined the network accessible storage devices are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the network accessible storage devices that are to be prohibited from being used in external information systems.
DoD has determined the network accessible storage devices are not appropriate to define at the Enterprise level. |
Use Of External Information Systems | Network Accessible Storage Devices |
AC-20 (4) |
AC-20(4).1 |
Network accessible storage devices in external information systems include, for example, online storage devices in public, hybrid, or community cloud-based systems. |
The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems. |
| CCI-002340 |
The organization prohibits the use of organization-defined network accessible storage devices in external information systems. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed prohibits the use of network accessible storage devices defined in AC-20 (4), CCI 2339 in external information systems. |
The organization being inspected/assessed documents and implements a process to prohibit the use of network accessible storage devices defined in AC-20 (4), CCI 2339 in external information systems. |
Use Of External Information Systems | Network Accessible Storage Devices |
AC-20 (4) |
AC-20(4).2 |
Network accessible storage devices in external information systems include, for example, online storage devices in public, hybrid, or community cloud-based systems. |
The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems. |
| CCI-002341 |
The organization defines the information sharing restrictions to be enforced by the information system for information search and retrieval services. |
The organization conducting the inspection/assessment obtains and examines the documented information sharing restrictions to ensure the organization being inspected/assessed defines the information sharing restrictions to be enforced by the information system for information search and retrieval services.
DoD has determined the information sharing restrictions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information sharing restrictions to be enforced by the information system for information search and retrieval services.
DoD has determined the information sharing restrictions are not appropriate to define at the Enterprise level. |
Information Sharing | Information Search And Retrieval |
AC-21 (2) |
AC-21(2).1 |
|
The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]. |
| CCI-002342 |
The information system implements information search and retrieval services that enforce organization-defined information sharing restrictions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement information search and retrieval services that enforce information sharing restrictions defined in AC-21 (2), CCI 2341.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2342. |
The organization being inspected/assessed configures the information system to configure the information system to implement information search and retrieval services that enforce information sharing restrictions defined in AC-21 (2), CCI 2341.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2342. |
Information Sharing | Information Search And Retrieval |
AC-21 (2) |
AC-21(2).2 |
|
The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]. |
| CCI-002343 |
The organization defines the data mining prevention techniques to be employed to adequately protect organization-defined data storage objects against data mining. |
The organization conducting the inspection/assessment obtains and examines the documented data mining prevention techniques to ensure the organization being inspected/assessed defines the data mining prevention techniques to be employed to adequately protect organization-defined data storage objects against data mining.
DoD has determined the data mining prevention techniques are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the data mining prevention techniques to be employed to adequately protect organization-defined data storage objects against data mining.
DoD has determined the data mining prevention techniques are not appropriate to define at the Enterprise level. |
Data Mining Protection |
AC-23 |
AC-23.1 |
Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites. |
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| CCI-002344 |
The organization defines the data mining detection techniques to be employed to adequately detect data mining attempts against organization-defined data storage objects. |
The organization conducting the inspection/assessment obtains and examines the documented data mining detection techniques to ensure the organization being inspected/assessed defines the data mining detection techniques to be employed to adequately detect data mining attempts against organization-defined data storage objects.
DoD has determined the data mining detection techniques are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the data mining detection techniques to be employed to adequately detect data mining attempts against organization-defined data storage objects.
DoD has determined the data mining detection techniques are not appropriate to define at the Enterprise level. |
Data Mining Protection |
AC-23 |
AC-23.2 |
Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites. |
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| CCI-002345 |
The organization defines the data storage objects that are to be protected against data mining attempts. |
The organization conducting the inspection/assessment obtains and examines the documented data storage objects to ensure the organization being inspected/assessed defines the data storage objects that are to be protected against data mining attempts.
DoD has determined the data storage objects are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the data storage objects that are to be protected against data mining attempts.
DoD has determined the data storage objects are not appropriate to define at the Enterprise level. |
Data Mining Protection |
AC-23 |
AC-23.3 |
Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites. |
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| CCI-002346 |
The organization employs organization-defined data mining prevention techniques for organization-defined data storage objects to adequately protect against data mining. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ data mining prevention techniques defined in AC-23, CCI 2343 for data storage objects defined in AC-23, CCI 2345 to adequately detect data mining attempts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2346. |
The organization being inspected/assessed configures the information system to employ data mining prevention techniques defined in AC-23, CCI 2343 for data storage objects defined in AC-23, CCI 2345 to adequately detect data mining attempts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2346. |
Data Mining Protection |
AC-23 |
AC-23.4 |
Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites. |
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| CCI-002347 |
The organization employs organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ data mining detection techniques defined in AC-23, CCI 2344 for data storage objects defined in AC-23, CCI 2345 to adequately detect data mining attempts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2347. |
The organization being inspected/assessed configures the information system to employ data mining detection techniques defined in AC-23, CCI 2344 for data storage objects defined in AC-23, CCI 2345 to adequately detect data mining attempts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2347. |
Data Mining Protection |
AC-23 |
AC-23.5 |
Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: (i) limiting the types of responses provided to database queries; (ii) limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and (iii) notifying organizational personnel when atypical database queries or accesses occur. This control focuses on the protection of organizational information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is now available as open source information residing on external sites, for example, through social networking or social media websites. |
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| CCI-002348 |
The organization defines the access control decisions that are to be applied to each access request prior to access enforcement. |
The organization conducting the inspection/assessment obtains and examines the documented access control decisions to ensure the organization being inspected/assessed defines the access control decisions that are to be applied to each access request prior to access enforcement.
DoD has determined the access control decisions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the access control decisions that are to be applied to each access request prior to access enforcement.
DoD has determined the access control decisions are not appropriate to define at the Enterprise level. |
Access Control Decisions |
AC-24 |
AC-24.1 |
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when information systems enforce access control decisions. While it is very common to have access control decisions and access enforcement implemented by the same entity, it is not required and it is not always an optimal implementation choice. For some architectures and distributed information systems, different entities may perform access control decisions and access enforcement. |
The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. |
| CCI-002349 |
The organization establishes procedures to ensure organization-defined access control decisions are applied to each access request prior to access enforcement. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to ensure the organization being inspected/assessed establishes procedures to ensure access control decisions defined in AC-24, CCI 2348 are applied to each access request prior to access enforcement. |
The organization being inspected/assessed establishes and documents procedures to ensure access control decisions defined in AC-24, CCI 2348 are applied to each access request prior to access enforcement. |
Access Control Decisions |
AC-24 |
AC-24.2 |
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when information systems enforce access control decisions. While it is very common to have access control decisions and access enforcement implemented by the same entity, it is not required and it is not always an optimal implementation choice. For some architectures and distributed information systems, different entities may perform access control decisions and access enforcement. |
The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. |
| CCI-002350 |
The organization defines the access authorization information that is to be transmitted using organization-defined security safeguards to organization-defined information systems that enforce access control decisions. |
The organization conducting the inspection/assessment obtains and examines the documented access authorization information to ensure the organization being inspected/assessed defines the access authorization information that is to be transmitted using organization-defined security safeguards to organization-defined information systems that enforce access control decisions.
DoD has determined the access authorization information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the access authorization information that is to be transmitted using organization-defined security safeguards to organization-defined information systems that enforce access control decisions.
DoD has determined the access authorization information is not appropriate to define at the Enterprise level. |
Access Control Decisions | Transmit Access Authorization Information |
AC-24 (1) |
AC-24(1).1 |
In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. Protecting access authorization information (i.e., access control decisions) ensures that such information cannot be altered, spoofed, or otherwise compromised during transmission. |
The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions. |
| CCI-002351 |
The organization defines the security safeguards to be employed when transmitting organization-defined access authorization information to organization-defined information systems that enforce access control decisions. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines the security safeguards to be employed when transmitting organization-defined access authorization information to organization-defined information systems that enforce access control decisions.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be employed when transmitting organization-defined access authorization information to organization-defined information systems that enforce access control decisions.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Access Control Decisions | Transmit Access Authorization Information |
AC-24 (1) |
AC-24(1).2 |
In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. Protecting access authorization information (i.e., access control decisions) ensures that such information cannot be altered, spoofed, or otherwise compromised during transmission. |
The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions. |
| CCI-002352 |
The organization defines the information systems that are to be recipients of organization-defined access authorization information using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented information systems to ensure the organization being inspected/assessed defines the information systems that are to be recipients of organization-defined access authorization information using organization-defined security safeguards.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems that are to be recipients of organization-defined access authorization information using organization-defined security safeguards.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
Access Control Decisions | Transmit Access Authorization Information |
AC-24 (1) |
AC-24(1).3 |
In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. Protecting access authorization information (i.e., access control decisions) ensures that such information cannot be altered, spoofed, or otherwise compromised during transmission. |
The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions. |
| CCI-002353 |
The information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to transmit access authorization information defined in AC-24 (1), CCI 2350 using security safeguards defined in AC-24 (1), CCI 2351 to information systems defined in AC-24 (1), CCI 2352 which enforce access control decisions.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2353. |
The organization being inspected/assessed configures the information system to transmit access authorization information defined in AC-24 (1), CCI 2350 using security safeguards defined in AC-24 (1), CCI 2351 to information systems defined in AC-24 (1), CCI 2352 which enforce access control decisions.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2353. |
Access Control Decisions | Transmit Access Authorization Information |
AC-24 (1) |
AC-24(1).4 |
In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. Protecting access authorization information (i.e., access control decisions) ensures that such information cannot be altered, spoofed, or otherwise compromised during transmission. |
The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions. |
| CCI-002354 |
The organization defines the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions. |
The organization conducting the inspection/assessment obtains and examines the documented security attributes to ensure the organization being inspected/assessed defines the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.
DoD has determined the security attributes are not appropriate to define at the Enterprise level. |
Access Control Decisions | No User Or Process Identity |
AC-24 (2) |
AC-24(2).1 |
In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions and, especially in the case of distributed information systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. |
The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user. |
| CCI-002355 |
The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce access control decisions based on security attributes defined in AC-24 (2), CCI 2354 that do not include the identity of the user or process acting on behalf of the user.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2355. |
The organization being inspected/assessed configures the information system to enforce access control decisions based on security attributes defined in AC-24 (2), CCI 2354 that do not include the identity of the user or process acting on behalf of the user.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2355. |
Access Control Decisions | No User Or Process Identity |
AC-24 (2) |
AC-24(2).2 |
In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions and, especially in the case of distributed information systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. |
The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user. |
| CCI-002356 |
The organization defines the access control policies to be implemented by the information system^s reference monitor. |
The organization conducting the inspection/assessment obtains and examines the documented access control policies to ensure the organization being inspected/assessed defines the access control policies to be implemented by the information system's reference monitor.
DoD has determined the access control policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the access control policies to be implemented by the information system's reference monitor.
DoD has determined the access control policies are not appropriate to define at the Enterprise level. |
Reference Monitor |
AC-25 |
AC-25.1 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Reference monitors typically enforce mandatory access control policies—a type of access control that restricts access to objects based on the identity of subjects or groups to which the subjects belong. The access controls are mandatory because subjects with certain privileges (i.e., access permissions) are restricted from passing those privileges on to any other subjects, either directly or indirectly—that is, the information system strictly enforces the access control policy based on the rule set established by the policy. The tamperproof property of the reference monitor prevents adversaries from compromising the functioning of the mechanism. The always invoked property prevents adversaries from bypassing the mechanism and hence violating the security policy. The smallness property helps to ensure the completeness in the analysis and testing of the mechanism to detect weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy. Related controls: AC-3, AC-16, SC-3, SC-39. |
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
| CCI-002357 |
The information system implements a reference monitor for organization-defined access control policies that is tamperproof. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is tamperproof.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2357. |
The organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is tamperproof.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2357. |
Reference Monitor |
AC-25 |
AC-25.2 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Reference monitors typically enforce mandatory access control policies—a type of access control that restricts access to objects based on the identity of subjects or groups to which the subjects belong. The access controls are mandatory because subjects with certain privileges (i.e., access permissions) are restricted from passing those privileges on to any other subjects, either directly or indirectly—that is, the information system strictly enforces the access control policy based on the rule set established by the policy. The tamperproof property of the reference monitor prevents adversaries from compromising the functioning of the mechanism. The always invoked property prevents adversaries from bypassing the mechanism and hence violating the security policy. The smallness property helps to ensure the completeness in the analysis and testing of the mechanism to detect weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy. Related controls: AC-3, AC-16, SC-3, SC-39. |
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
| CCI-002358 |
The information system implements a reference monitor for organization-defined access control policies that is always invoked. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is always invoked.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2358. |
The organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is always invoked.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2358. |
Reference Monitor |
AC-25 |
AC-25.3 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Reference monitors typically enforce mandatory access control policies—a type of access control that restricts access to objects based on the identity of subjects or groups to which the subjects belong. The access controls are mandatory because subjects with certain privileges (i.e., access permissions) are restricted from passing those privileges on to any other subjects, either directly or indirectly—that is, the information system strictly enforces the access control policy based on the rule set established by the policy. The tamperproof property of the reference monitor prevents adversaries from compromising the functioning of the mechanism. The always invoked property prevents adversaries from bypassing the mechanism and hence violating the security policy. The smallness property helps to ensure the completeness in the analysis and testing of the mechanism to detect weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy. Related controls: AC-3, AC-16, SC-3, SC-39. |
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
| CCI-002359 |
The information system implements a reference monitor for organization-defined access control policies that is small enough to be subject to analysis and testing, the completeness of which can be assured. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is small enough to be subject to analysis and testing, the completeness of which can be assured.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2359. |
The organization being inspected/assessed configures the information system to implement a reference monitor for access control policies defined in AC-25, CCI 2356 that is small enough to be subject to analysis and testing, the completeness of which can be assured.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2359. |
Reference Monitor |
AC-25 |
AC-25.4 |
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Reference monitors typically enforce mandatory access control policies—a type of access control that restricts access to objects based on the identity of subjects or groups to which the subjects belong. The access controls are mandatory because subjects with certain privileges (i.e., access permissions) are restricted from passing those privileges on to any other subjects, either directly or indirectly—that is, the information system strictly enforces the access control policy based on the rule set established by the policy. The tamperproof property of the reference monitor prevents adversaries from compromising the functioning of the mechanism. The always invoked property prevents adversaries from bypassing the mechanism and hence violating the security policy. The smallness property helps to ensure the completeness in the analysis and testing of the mechanism to detect weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy. Related controls: AC-3, AC-16, SC-3, SC-39. |
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
| CCI-002048 |
The organization defines the personnel or roles to whom the security awareness and training policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as organizational personnel with security awareness and training responsibilities. |
DoD has defined the roles as organizational personnel with security awareness and training responsibilities.
DoD disseminates DoDD 8570.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/dir.html |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-002049 |
The organization defines the personnel or roles to whom the security awareness and training procedures are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as organizational personnel with security awareness and training responsibilities. |
DoD has defined the roles as organizational personnel with security awareness and training responsibilities. |
Security Awareness And Training Policy And Procedures |
AT-1 |
AT-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency]. |
| CCI-002055 |
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. |
The IA Awareness CBT, "Cyber Awareness Challenge," and Virtual Training Environment (VTE) Courses: "Introduction to Insider Threat" and "Monitoring for Insider Threat" available on the IASE website meet the DoD requirement to include security awareness training on recognizing and reporting potential indicators of insider threat.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level training available on the IASE website. |
The IA Awareness CBT, "Cyber Awareness Challenge," and Virtual Training Environment (VTE) Courses: "Introduction to Insider Threat" and "Monitoring for Insider Threat" available on the IASE website meet the DoD requirement to include security awareness training on recognizing and reporting potential indicators of insider threat.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level training available on the IASE website. |
Security Awareness | Insider Threat |
AT-2 (2) |
AT-2(2).1 |
Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Related controls: PL-4, PM-12, PS-3, PS-6. |
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. |
| CCI-002050 |
The organization defines the personnel or roles to whom initial and refresher training in the employment and operation of environmental controls is to be provided. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to whom initial and refresher training in the employment and operation of environmental controls is to be provided.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles to whom initial and refresher training in the employment and operation of environmental controls is to be provided.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Security Training | Environmental Controls |
AT-3 (1) |
AT-3(1).4 |
Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
| CCI-002051 |
The organization defines the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Security Training | Physical Security Controls |
AT-3 (2) |
AT-3(2).4 |
Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5. |
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
| CCI-002052 |
The organization includes practical exercises in security training that reinforce training objectives. |
The organization conducting the inspection/assessment obtains and examines the security training materials to ensure the organization being inspected/assessed includes practical exercises in security training that reinforce training objectives. |
The organization being inspected/assessed includes practical exercises in security training that reinforce training objectives. |
Security Training | Practical Exercises |
AT-3 (3) |
AT-3(3).1 |
Practical exercises may include, for example, security training for software developers that includes simulated cyber attacks exploiting common software vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted at senior leaders/executives. These types of practical exercises help developers better understand the effects of such vulnerabilities and appreciate the need for security coding standards and processes. |
The organization includes practical exercises in security training that reinforce training objectives. |
| CCI-002053 |
The organization provides training to its personnel on organization-defined indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the training materials and indicators of malicious code defined in AT-3 (4), CCI 2054 to ensure the organization being inspected/assessed provides users with the means to recognize suspicious communications and anomalous behavior in organizational information systems. |
The organization being inspected/assessed provides training to its personnel on indicators of malicious code defined in AT-3 (4), CCI 2054 to recognize suspicious communications and anomalous behavior in organizational information systems. |
Security Training | Suspicious Communications And Anomalous System Behavior |
AT-3 (4) |
AT-3(4).1 |
A well-trained workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code coming in to organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender but who appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to such suspicious email or web communications (e.g., not opening attachments, not clicking on embedded web links, and checking the source of email addresses). For this process to work effectively, all organizational personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in organizational information systems can potentially provide early warning for the presence of malicious code. Recognition of such anomalous behavior by organizational personnel can supplement automated malicious code detection and protection tools and systems employed by organizations. |
The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems. |
| CCI-002054 |
The organization defines indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the documented indicators to ensure the organization being inspected/assessed defines indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.
DoD has determined the indicators are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.
DoD has determined the indicators are not appropriate to define at the Enterprise level. |
Security Training | Suspicious Communications And Anomalous System Behavior |
AT-3 (4) |
AT-3(4).2 |
A well-trained workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code coming in to organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender but who appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to such suspicious email or web communications (e.g., not opening attachments, not clicking on embedded web links, and checking the source of email addresses). For this process to work effectively, all organizational personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in organizational information systems can potentially provide early warning for the presence of malicious code. Recognition of such anomalous behavior by organizational personnel can supplement automated malicious code detection and protection tools and systems employed by organizations. |
The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems. |
| CCI-001831 |
The organization documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
|
|
|
|
|
|
|
| CCI-001832 |
The organization disseminates the audit and accountability policy to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability procedures via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. |
The organization being inspected/assessed disseminates, via an information sharing capibility, to the ISSO and ISSM and others as the local organization deems appropriate an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate.
|
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001833 |
The organization documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. |
|
|
|
|
|
|
|
| CCI-001834 |
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. |
The organization conducting the inspection/assessment obtains and examines the audit and accountability procedures via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. |
The organization being inspected/assessed disseminates, via an information sharing capibility, to the ISSO and ISSM and others as the local organization deems appropriate audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate.
|
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001835 |
The organization defines the frequency on which it will review the audit and accountability policy. |
|
|
|
|
|
|
|
| CCI-001836 |
The organization defines the frequency on which it will update the audit and accountability policy. |
|
|
|
|
|
|
|
| CCI-001837 |
The organization reviews the audit and accountability policy on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001838 |
The organization updates the audit and accountability policy on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001839 |
The organization defines the frequency on which it will review the audit and accountability procedures. |
|
|
|
|
|
|
|
| CCI-001840 |
The organization defines the frequency on which it will update the audit and accountability procedures. |
|
|
|
|
|
|
|
| CCI-001841 |
The organization reviews the audit and accountability procedures on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001842 |
The organization updates the audit and accountability procedures on an organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001930 |
The organization defines the organizational personnel or roles to whom the audit and accountability policy is to be disseminated. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles to whom the audit and accountability policy is to be disseminated to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the ISSO or ISSM, to whom the audit and accountability policy is to be disseminated. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001931 |
The organization defines the organizational personnel or roles to whom the audit and accountability procedures are to be disseminated. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles to whom the audit and accountability procedures are to be disseminated to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the ISSO or ISSM, to whom the audit and accountability procedures are to be disseminated. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
Audit And Accountability Policy And Procedures |
AU-1 |
AU-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency]. |
| CCI-001843 |
The organization defines a frequency for updating the list of organization-defined auditable events. |
|
|
|
|
|
|
|
| CCI-001844 |
The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to provide centralized management and configuration of the content to be captured in audit records generated by all information system and network components.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1844.
DoD has defined the information system components as all information system and network components. |
The organization being inspected/assessed configures the information system to provide centralized management and configuration of the content to be captured in audit records generated by all information system and network components.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1844.
DoD has defined the information system components as all information system and network components. |
Content Of Audit Records | Centralized Management Of Planned Audit Record Content |
AU-3 (2) |
AU-3(2).1 |
This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system. Related controls: AU-6, AU-7. |
The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. |
| CCI-001845 |
The information system provides centralized configuration of the content to be captured in audit records generated by organization-defined information system components. |
|
|
|
|
|
|
|
| CCI-001846 |
The organization defines information system components that will generate the audit records which are to be captured for centralized management of the content. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all information system and network components. |
DoD has defined the information system components as all information system and network components. |
Content Of Audit Records | Centralized Management Of Planned Audit Record Content |
AU-3 (2) |
AU-3(2).2 |
This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system. Related controls: AU-6, AU-7. |
The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. |
| CCI-001847 |
The organization defines information system components that will generate the audit records which are to be captured for centralized configuration of the content. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all information system and network components. |
DoD has defined the information system components as all information system and network components. |
Content Of Audit Records | Centralized Management Of Planned Audit Record Content |
AU-3 (2) |
AU-3(2).3 |
This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system. Related controls: AU-6, AU-7. |
The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. |
| CCI-001848 |
The organization defines the audit record storage requirements. |
The organization conducting the inspection/assessment obtains and examines the documented audit record storage requirements to ensure the organization being inspected/assessed has defined those requirements.
DoD has determined the audit record storage requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the required audit record storage capacity.
DoD has determined the audit record storage requirements are not appropriate to define at the Enterprise level. |
Audit Storage Capacity |
AU-4 |
AU-4.1 |
Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4. |
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements]. |
| CCI-001849 |
The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to allocate audit record storage capacity as defined in AU-4, CCI 1848.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1849. |
The organization being inspected/assessed allocates, and configures the information system to allocate audit record storage capacity as defined in AU-4, CCI 1848.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1849. |
Audit Storage Capacity |
AU-4 |
AU-4.2 |
Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4. |
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements]. |
| CCI-001850 |
The organization defines the frequency on which the information system off-loads audit records onto a different system or media than the system being audited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum, real-time for interconnected systems and weekly for stand-alone systems. |
DoD has defined the frequency as at a minimum, real-time for interconnected systems and weekly for stand-alone systems. |
Audit Storage Capacity | Transfer To Alternate Storage |
AU-4 (1) |
AU-4(1).1 |
Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred. |
The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited. |
| CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to off-load audit records at a minimum, in real-time for interconnected systems and weekly for stand-alone systems onto a different system or media than the system being audited.
DoD has defined the frequency as at a minimum, real-time for interconnected systems and weekly for stand-alone systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1851. |
The organization being inspected/assessed configures the information system to off-load audit records at a minimum, in real-time for interconnected systems and weekly for stand-alone systems onto a different system or media than the system being audited.
DoD has defined the frequency as at a minimum, real-time for interconnected systems and weekly for stand-alone systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1851. |
Audit Storage Capacity | Transfer To Alternate Storage |
AU-4 (1) |
AU-4(1).2 |
Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred. |
The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited. |
| CCI-001852 |
The organization defines the personnel, roles and/or locations to receive a warning when allocated audit record storage volume reaches a defined percentage of maximum audit records storage capacity. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles who should receive a warning when allocated audit record storage volume reaches a defined percentage of maximum audit records storage capacity to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles beyond the ISSO/PMO and ISSM.
DoD has defined the personnel or roles as at a minimum, the ISSO/PMO and ISSM. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the ISSO/PMO and ISSM, who shall receive a warning when allocated audit record storage volume reaches a defined percentage of maximum audit records storage capacity. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as at a minimum, the ISSO/PMO and ISSM. |
Response To Audit Processing Failures | Audit Storage Capacity |
AU-5 (1) |
AU-5(1).1 |
Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities. |
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organi zation-defined percentage] of repository maximum audit record storage capacity. |
| CCI-001853 |
The organization defines the time period within which organization-defined personnel, roles, and/or locations are to receive warnings when allocated audit record storage volume reaches an organization-defined percentage of maximum audit records storage capacity. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as immediate. |
DoD has defined the time period as immediate. |
Response To Audit Processing Failures | Audit Storage Capacity |
AU-5 (1) |
AU-5(1).2 |
Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities. |
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organi zation-defined percentage] of repository maximum audit record storage capacity. |
| CCI-001854 |
The organization defines the percentage of maximum audit record storage capacity that is to be reached, at which time the information system will provide a warning to organization-defined personnel, roles, and/or locations. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the percentage as 75 percent. |
DoD has defined the percentage as 75 percent. |
Response To Audit Processing Failures | Audit Storage Capacity |
AU-5 (1) |
AU-5(1).3 |
Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities. |
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organi zation-defined percentage] of repository maximum audit record storage capacity. |
| CCI-001855 |
The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to immediately provide a warning to personnel, roles, and/or locations defined in AU-5 (1), CCI 1852 when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
DoD has defined the time period as immediate.
DoD has defined the percentage as 75 percent.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1855. |
The organization being inspected/assessed configures the information system to immediately provide a warning to personnel, roles, and/or locations defined in AU-5 (1), CCI 1852 when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
DoD has defined the time period as immediate.
DoD has defined the percentage as 75 percent.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1855. |
Response To Audit Processing Failures | Audit Storage Capacity |
AU-5 (1) |
AU-5(1).4 |
Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities. |
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organi zation-defined percentage] of repository maximum audit record storage capacity. |
| CCI-001856 |
The organization defines the real-time period within which the information system is to provide an alert when organization-defined audit failure events occur. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the real-time period as immediate. |
DoD has defined the real-time period as immediate. |
Response To Audit Processing Failures | Real-Time Alerts |
AU-5 (2) |
AU-5(2).2 |
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). |
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. |
| CCI-001857 |
The organization defines the personnel, roles, and/or locations to receive alerts when organization-defined audit failure events occur. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles who should receive alerts when all audit failure events occur to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles.
DoD has defined the audit failure events as all. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the SCA and ISSO, who shall receive alerts when all audit failure events occur. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as at a minimum, the SCA and ISSO.
DoD has defined the audit failure events as all. |
Response To Audit Processing Failures | Real-Time Alerts |
AU-5 (2) |
AU-5(2).3 |
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). |
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. |
| CCI-001858 |
The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configured the information system to immediately provide a real-time alert to personnel, roles, and/or locations defined in AU-5 (2), CCI 1857 when all audit failure events requiring real-time alerts occur.
DoD has defined the real-time period as immediate.
DoD has defined the audit failure events as all.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1858. |
The organization being inspected/assessed configures the information system to immediately provide a real-time alert to personnel, roles, and/or locations defined in AU-5 (2), CCI 1857 when all audit failure events requiring real-time alerts occur.
DoD has defined the real-time period as immediate.
DoD has defined the audit failure events as all.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1858. |
Response To Audit Processing Failures | Real-Time Alerts |
AU-5 (2) |
AU-5(2).4 |
Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). |
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. |
| CCI-001859 |
The organization defines the network communication traffic volume thresholds reflecting limits on auditing capacity, specifying when the information system will reject or delay network traffic that exceed those thresholds. |
The organization conducting the inspection/assessment obtains and examines the documented network communication traffic volume thresholds to ensure they have been defined. |
The organization being inspected/assessed defines and documents the network communication traffic volume thresholds reflecting limits on auditing capacity, specifying when the information system will reject or delay network traffic that exceed those thresholds. |
Response To Audit Processing Failures | Configurable Traffic Volume Thresholds |
AU-5 (3) |
AU-5(3).4 |
Organizations have the capability to reject or delay the processing of network communications traffic if auditing such traffic is determined to exceed the storage capacity of the information system audit function. The rejection or delay response is triggered by the established organizational traffic volume thresholds which can be adjusted based on changes to audit storage capacity. |
The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds. |
| CCI-001860 |
The organization defines the audit failures which, should they occur, will invoke an organization-defined system mode. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the audit failures as all. |
DoD has defined the audit failures as all. |
Response To Audit Processing Failures | Shutdown On Failure |
AU-5 (4) |
AU-5(4).1 |
Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives. Related control: AU-15. |
The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists. |
| CCI-001861 |
The information system invokes an organization-defined system mode, in the event of organization-defined audit failures, unless an alternate audit capability exists. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed invokes the system mode defined in AU-5 (4), CCI 2907 in the event all audit failures, unless an alternate audit capability exists.
DoD has defined the audit failures as all.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1861 |
The organization being inspected/assessed configures the information system to invoke the system mode defined in AU-5 (4), CCI 2907 in the event all audit failures, unless an alternate audit capability exists.
DoD has defined the audit failures as all.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1861.
|
Response To Audit Processing Failures | Shutdown On Failure |
AU-5 (4) |
AU-5(4).2 |
Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives. Related control: AU-15. |
The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists. |
| CCI-002907 |
The organization defines the system mode to be invoked, such as a full system shutdown, a partial system shutdown, or a degraded operational mode with limited mission/business functionality available, in the event of organization-defined audit failures. |
The organization conducting the inspection/assessment obtains and examines the documented system mode to ensure the organization being inspected/assessed defines the system mode to be invoked.
|
The organization being inspected/assessed defines and documents the system mode to be invoked. Possible examples of system modes include a full system shutdown, a partial system shutdown, or a degraded operational mode with limited mission/business functionality available.
|
Response To Audit Processing Failures | Shutdown On Failure |
AU-5 (4) |
AU-5(4).3 |
Organizations determine the types of audit failures that can trigger automatic information system shutdowns or degraded operations. Because of the importance of ensuring mission/business continuity, organizations may determine that the nature of the audit failure is not so severe that it warrants a complete shutdown of the information system supporting the core organizational missions/business operations. In those instances, partial information system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives. Related control: AU-15. |
The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists. |
| CCI-001862 |
The organization defines the types of inappropriate or unusual activity to be reviewed and analyzed in the audit records. |
The organization conducting the inspection/assessment obtains and examines the documented types of inappropriate or unusual activity to ensure they have been defined.
DoD has determined that the types of inappropriate or unusual activity are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the types of inappropriate or unusual activity to be reviewed and analyzed in the audit records.
DoD has determined that the types of inappropriate or unusual activity are not appropriate to define at the Enterprise level. |
Audit Review, Analysis, And Reporting |
AU-6 |
AU-6.3 |
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. |
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles]. |
| CCI-001863 |
The organization defines the personnel or roles to receive the reports of organization-defined inappropriate or unusual activity. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles who should receive the reports of inappropriate or unusual activity defined in AU-6, CCI 1862 to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the ISSO and ISSM, who shall receive the reports of inappropriate or unusual activity defined in AU-6, CCI 1862. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as at a minimum, the ISSO and ISSM. |
Audit Review, Analysis, And Reporting |
AU-6 |
AU-6.5 |
Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. |
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles]. |
| CCI-001864 |
The organization employs automated mechanisms to integrate audit review and analysis to support organizational processes for investigation of and response to suspicious activities. |
The organization conducting the inspection/assessment obtains and examines documentation identifying automated mechanisms to integrate audit review and analysis to ensure such mechanisms have been identified.
The organization conducting the inspection/assessment examines the identified automated mechanisms to ensure they have been implemented. |
The organization being inspected/assessed identifies and implements automated mechanisms to integrate audit review and analysis.
The goal is to support organizational investigation of and response to suspicious activities. |
Audit Review, Analysis, And Reporting | Process Integration |
AU-6 (1) |
AU-6(1).1 |
Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits. Related controls: AU-12, PM-7. |
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. |
| CCI-001865 |
The organization employs automated mechanisms to integrate reporting processes to support organizational investigation of and response to suspicious activities. |
The organization conducting the inspection/assessment obtains and examines documentation identifying automated mechanisms to integrate reporting processes to ensure such mechanisms have been identified.
The organization conducting the inspection/assessment examines the identified automated mechanisms to ensure they have been implemented. |
The organization being inspected/assessed identifies and implements automated mechanisms to integrate reporting processes (e.g., centralized log analysis tools).
The goal is to support organizational investigation of and response to suspicious activities. |
Audit Review, Analysis, And Reporting | Process Integration |
AU-6 (1) |
AU-6(1).2 |
Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits. Related controls: AU-12, PM-7. |
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. |
| CCI-001866 |
The organization defines the data/information to be collected from other sources to enhance its ability to identify inappropriate or unusual activity. |
The organization conducting the inspection/assessment obtains and examines documented data/information from other sources to ensure the information has been defined.
DoD has determined that the data/information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the data/information to be collected from other sources to enhance its ability to identify inappropriate or unusual activity.
If no additional data/information is to be collected, that should also be documented.
DoD has determined that the data/information is not appropriate to define at the Enterprise level. |
Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities |
AU-6 (5) |
AU-6(5).1 |
This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5. |
The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. |
| CCI-001867 |
The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, information system monitoring information, and/or organization-defined data/information collected from other sources to further enhance its ability to identify inappropriate or unusual activity. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed integrates the analysis of audit records with the data/information defined in AU-6 (5), CCI 1866 (if any) to further enhance its ability to identify inappropriate or unusual activity. |
The organization being inspected/assessed documents and implements a process to integrate the analysis of audit records with the data/information defined in AU-6 (5), CCI 1866 (if any) to further enhance its ability to identify inappropriate or unusual activity. |
Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities |
AU-6 (5) |
AU-6(5).2 |
This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5. |
The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. |
| CCI-001868 |
The organization specifies the permitted actions for each information system process, role, and/or user associated with the review and analysis of audit information. |
The organization conducting the inspection/assessment obtains and examines the documented permitted actions to ensure the organization being inspected/assessed specifies the permitted actions for each information system process, role, and/or user associated with the review and analysis of audit information. |
The organization being inspected/assessed specifies and documents the permitted actions for each information system process, role, and/or user associated with the review and analysis of audit information. |
Audit Review, Analysis, And Reporting | Permitted Actions |
AU-6 (7) |
AU-6(7).1 |
Organizations specify permitted actions for information system processes, roles, and/or users associated with the review, analysis, and reporting of audit records through account management techniques. Specifying permitted actions on audit information is a way to enforce the principle of least privilege. Permitted actions are enforced by the information system and include, for example, read, write, execute, append, and delete. |
The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information. |
| CCI-001869 |
The organization specifies the permitted actions for each information system process, role, and/or user associated with the reporting of audit information. |
The organization conducting the inspection/assessment obtains and examines the documented permitted actions to ensure the organization being inspected/assessed specifies the permitted actions for each information system process, role, and/or user associated with the reporting of audit information. |
The organization being inspected/assessed specifies and documents the permitted actions for each information system process, role, and/or user associated with the reporting of audit information. |
Audit Review, Analysis, And Reporting | Permitted Actions |
AU-6 (7) |
AU-6(7).2 |
Organizations specify permitted actions for information system processes, roles, and/or users associated with the review, analysis, and reporting of audit records through account management techniques. Specifying permitted actions on audit information is a way to enforce the principle of least privilege. Permitted actions are enforced by the information system and include, for example, read, write, execute, append, and delete. |
The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information. |
| CCI-001870 |
The organization performs a full-text analysis of audited privileged commands in a physically-distinct component or subsystem of the information system, or other information system that is dedicated to that analysis. |
The organization conducting the inspection/assessment obtains and examines the documented process and supporting records (e.g., analysis results) to ensure the organization being inspected/assessed performs a full-text analysis of audited privileged commands in a physically-distinct component or subsystem of the information system, or other information system that is dedicated to that analysis. |
The organization being inspected/assessed documents and implements a process to perform a full-text analysis of audited privileged commands in a physically-distinct component or subsystem of the information system, or other information system that is dedicated to that analysis. |
Audit Review, Analysis, And Reporting | Full Text Analysis Of Privileged Commands |
AU-6 (8) |
AU-6(8).1 |
This control enhancement requires a distinct environment for the dedicated analysis of audit information related to privileged users without compromising such information on the information system where the users have elevated privileges including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and all parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes, for example, the use of pattern matching and heuristics. Related controls: AU-3, AU-9, AU-11, AU-12. |
The organization performs a full-text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis. |
| CCI-001871 |
The organization correlates information from non-technical sources with audit information to enhance organization-wide situational awareness. |
The organization conducting the inspection/assessment obtains and examines the documented process and supporting records to ensure the organization being inspected/assessed correlates information from non-technical sources with audit information to enhance organization-wide situational awareness. |
The organization being inspected/assessed documents and implements a process to correlate information from non-technical sources with audit information to enhance organization-wide situational awareness. |
Audit Review, Analysis, And Reporting | Correlation With Information From Nontechnical Sources |
AU-6 (9) |
AU-6(9).1 |
Nontechnical sources include, for example, human resources records documenting organizational policy violations (e.g., sexual harassment incidents, improper use of organizational information assets). Such information can lead organizations to a more directed analytical effort to detect potential malicious insider activity. Due to the sensitive nature of the information available from nontechnical sources, organizations limit access to such information to minimize the potential for the inadvertent release of privacy-related information to individuals that do not have a need to know. Thus, correlation of information from nontechnical sources with audit information generally occurs only when individuals are suspected of being involved in a security incident. Organizations obtain legal advice prior to initiating such actions. Related control: AT-2. |
The organization correlates information from non-technical sources with audit information to enhance organization-wide situational awareness. |
| CCI-001872 |
The organization adjusts the level of audit review and analysis within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
The organization conducting the inspection/assessment obtains and examines the documented process and supporting records to ensure the organization being inspected/assessed adjusts the level of audit review within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
The organization being inspected/assessed documents and implements a process for adjusting the level of audit review within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information (e.g., INFOCON). |
Audit Review, Analysis, And Reporting | Audit Level Adjustment |
AU-6 (10) |
AU-6(10).1 |
The frequency, scope, and/or depth of the audit review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. |
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
| CCI-001873 |
The organization adjusts the level of audit analysis within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
|
|
|
|
|
|
|
| CCI-001874 |
The organization adjusts the level of audit reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
The organization conducting the inspection/assessment obtains and examines the documented process and supporting records to ensure the organization being inspected/assessed adjusts the level of audit reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
The organization being inspected/assessed documents and implements a process for adjusting the level of audit reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information (e.g., INFOCON). |
Audit Review, Analysis, And Reporting | Audit Level Adjustment |
AU-6 (10) |
AU-6(10).2 |
The frequency, scope, and/or depth of the audit review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. |
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
| CCI-001875 |
The information system provides an audit reduction capability that supports on-demand audit review and analysis. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide an audit reduction capability that support on-demand audit review and analysis (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1875. |
The organization being inspected/assessed must employ information systems that provide an audit reduction capability that support on-demand audit review and analysis (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1875. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.1 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001876 |
The information system provides an audit reduction capability that supports on-demand reporting requirements. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide an audit reduction capability that supports on-demand reporting requirements (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1876. |
The organization being inspected/assessed must employ information systems that provide an audit reduction capability that support on-demand reporting requirements (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1876. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.2 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001877 |
The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide an audit reduction capability that supports after-the-fact investigations of security incidents (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1877. |
The organization being inspected/assessed must employ information systems that provide an audit reduction capability that support after-the-fact investigations of security incidents (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1877. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.3 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001878 |
The information system provides a report generation capability that supports on-demand audit review and analysis. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide a report generation capability that supports on-demand audit review and analysis (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1878. |
The organization being inspected/assessed must employ information systems that provide a report generation capability that support on-demand audit review and analysis (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1878. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.4 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001879 |
The information system provides a report generation capability that supports on-demand reporting requirements. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide a report generation capability that supports on-demand reporting requirements (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1879. |
The organization being inspected/assessed must employ information systems that provide a report generation capability that support on-demand reporting requirements (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1879. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.5 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001880 |
The information system provides a report generation capability that supports after-the-fact investigations of security incidents. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide a report generation capability that supports after-the-fact investigations of security incidents (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1880. |
The organization being inspected/assessed must employ information systems that provide a report generation capability that support after-the-fact investigations of security incidents (either natively or through the use of third-party tools).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1880. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.6 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001881 |
The information system provides an audit reduction capability that does not alter original content or time ordering of audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs an audit reduction capability that does not alter original audit records.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1881. |
The organization being inspected/assessed must ensure that the audit reduction capability does not alter the original audit records.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1881. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.7 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001882 |
The information system provides a report generation capability that does not alter original content or time ordering of audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs a report generation capability that does not alter original audit records.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1882. |
The organization being inspected/assessed must ensure that the report generation capability does not alter the original audit records.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1882. |
Audit Reduction And Report Generation |
AU-7 |
AU-7.8 |
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. |
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records. |
| CCI-001883 |
The organization defines the audit fields within audit records to be processed for events of interest by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented audit fields to ensure the organization being inspected/assessed defines the audit fields within audit records to be processed for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document the audit fields within audit records to be processed for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
Audit Reduction And Report Generation | Automatic Processing |
AU-7 (1) |
AU-7(1).2 |
Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. |
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]. |
| CCI-001884 |
The organization defines the audit fields within audit records to be sorted for events of interest by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented audit fields to ensure the organization being inspected/assessed defines the audit fields within audit records to be sorted for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document the audit fields within audit records to be sorted for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
Audit Reduction And Report Generation | Automatic Sort And Search |
AU-7 (2) |
AU-7(2).1 |
Sorting and searching of audit records may be based upon the contents of audit record fields, for example: (i) date/time of events; (ii) user identifiers; (iii) Internet Protocol (IP) addresses involved in the event; (iv) type of event; or (v) event success/failure. |
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]. |
| CCI-001885 |
The organization defines the audit fields within audit records to be searched for events of interest by the information system. |
The organization conducting the inspection/assessment obtains and examines the documented audit fields to ensure the organization being inspected/assessed defines the audit fields within audit records to be searched for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document the audit fields within audit records to be searched for events of interest by the information system.
DoD has determined that the audit fields are not appropriate to define at the Enterprise level. |
Audit Reduction And Report Generation | Automatic Sort And Search |
AU-7 (2) |
AU-7(2).2 |
Sorting and searching of audit records may be based upon the contents of audit record fields, for example: (i) date/time of events; (ii) user identifiers; (iii) Internet Protocol (IP) addresses involved in the event; (iv) type of event; or (v) event success/failure. |
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]. |
| CCI-001886 |
The information system provides the capability to sort audit records for events of interest based on the content of organization-defined audit fields within audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide the capability to sort audit records for events of interest based on the content of audit fields within audit records as defined in AU-7 (2), CCI 1884.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1886. |
The organization being inspected/assessed must employ information systems that provide the capability to sort audit records for events of interest based on the content of audit fields within audit records as defined in AU-7 (2), CCI 1884.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1886. |
Audit Reduction And Report Generation | Automatic Sort And Search |
AU-7 (2) |
AU-7(2).3 |
Sorting and searching of audit records may be based upon the contents of audit record fields, for example: (i) date/time of events; (ii) user identifiers; (iii) Internet Protocol (IP) addresses involved in the event; (iv) type of event; or (v) event success/failure. |
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]. |
| CCI-001887 |
The information system provides the capability to search audit records for events of interest based on the content of organization-defined audit fields within audit records. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed employs information systems that provide the capability to search audit records for events of interest based on the content of audit fields within audit records as defined in AU-7 (2), CCI 1885.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1887. |
The organization being inspected/assessed must employ information systems that provide the capability to search audit records for events of interest based on the content of audit fields within audit records as defined in AU-7 (2), CCI 1885.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1887. |
Audit Reduction And Report Generation | Automatic Sort And Search |
AU-7 (2) |
AU-7(2).4 |
Sorting and searching of audit records may be based upon the contents of audit record fields, for example: (i) date/time of events; (ii) user identifiers; (iii) Internet Protocol (IP) addresses involved in the event; (iv) type of event; or (v) event success/failure. |
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records]. |
| CCI-001888 |
The organization defines the granularity of time measurement for time stamps generated for audit records. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the granularity of time measurement as one second. |
DoD has defined the granularity of time measurement as one second. |
Time Stamps |
AU-8 |
AU-8.2 |
Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. |
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. |
| CCI-001889 |
The information system records time stamps for audit records that meet organization-defined granularity of time measurement. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate time in the time stamps for audit records that meets one second granularity of time measurement.
DoD has defined the granularity of time measurement as one second.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1889. |
The organization being inspected/assessed configures the information system to generate time in the time stamps for audit records that meets one second granularity of time measurement.
DoD has defined the granularity of time measurement as one second.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1889. |
Time Stamps |
AU-8 |
AU-8.3 |
Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. |
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. |
| CCI-001890 |
The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to generate time stamps for audit records that contain time zones or time offsets that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1890. |
The organization being inspected/assessed configures the information system to generate time stamps for audit records that contain time zones or time offsets that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1890. |
Time Stamps |
AU-8 |
AU-8.4 |
Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. |
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. |
| CCI-001891 |
The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to synchronize internal information system clocks every 24 hours for networked systems with an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS) when the time difference is greater than the difference defined in AU-8 (1), CCI 1892.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1891.
DoD has defined the frequency as every 24 hours for networked systems.
DoD has defined the authoritative time source as an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS). |
The organization being inspected/assessed configures the information system to synchronize internal information system clocks every 24 hours for networked systems with an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS) when the time difference is greater than the difference defined in AU-8 (1), CCI 1892.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1891.
DoD has defined the frequency as every 24 hours for networked systems.
DoD has defined the authoritative time source as an authoritative time server which is synchronized with redundant United States Naval Observatory (USNO) time servers as designated for the appropriate DoD network (NIPRNet / SIPRNet) and/or the Global Positioning System (GPS). |
Time Stamps | Synchronization With Authoritative Time Source |
AU-8 (1) |
AU-8(1).3 |
This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
The information system:
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
| CCI-001892 |
The organization defines the time difference which, when exceeded, will require the information system to synchronize the internal information system clocks to the organization-defined authoritative time source. |
The organization conducting the inspection/assessment obtains and examines the documented time difference to ensure the organization being inspected/assessed defines the time difference which, when exceeded, will require the information system to synchronize the internal information system clocks.
DoD has determined the time difference is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the time difference, which, when exceeded, will require the information system to synchronize the internal information system clocks.
DoD has determined the time difference is not appropriate to define at the Enterprise level. |
Time Stamps | Synchronization With Authoritative Time Source |
AU-8 (1) |
AU-8(1).4 |
This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
The information system:
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
| CCI-001893 |
The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed uses a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1893. |
The organization being inspected/assessed configures the information system to use a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1893. |
Time Stamps | Secondary Authoritative Time Source |
AU-8 (2) |
AU-8(2).1 |
|
The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source. |
| CCI-002046 |
The information system synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the system synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the time period defined in AU-8 (1), CCI 1892.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2046. |
The organization being inspected/assessed configures the information system to synchronize the internal system clocks to the authoritative time source when the time difference is greater than the time period defined in AU-8 (1), CCI 1892.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2046. |
Time Stamps | Synchronization With Authoritative Time Source |
AU-8 (1) |
AU-8(1).5 |
This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. |
The information system:
(a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
| CCI-001894 |
The organization defines the subset of privileged users who will be authorized access to the management of audit functionality. |
The organization conducting the inspection/assessment obtains and examines the documented subset of privileged users to be authorized access to the management of audit functionality, to ensure the organization being inspected/assessed defines and documents the subset of privileged users to be authorized access to the management of audit functionality.
DoD has determined the subset of privileged users is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subset of privileged users to be authorized access to the management of audit functionality.
DoD has determined the subset of privileged users is not appropriate to define at the Enterprise level. |
Protection Of Audit Information | Access By Subset Of Privileged Users |
AU-9 (4) |
AU-9(4).1 |
Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. Related control: AC-5. |
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. |
| CCI-001895 |
The organization defines the audit information requiring dual authorization for movement or deletion actions. |
The organization conducting the inspection/assessment obtains and examines the definition of audit information requiring dual authorization for movement or deletion actions, to ensure the organization being inspected/assessed defines and documents the audit information requiring dual authorization for movement or deletion actions.
DoD has determined the audit information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the audit information requiring dual authorization for movement or deletion actions.
DoD has determined the audit information is not appropriate to define at the Enterprise level. |
Protection Of Audit Information | Dual Authorization |
AU-9 (5) |
AU-9(5).1 |
Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Dual authorization may also be known as two-person control. Related controls: AC-3, MP-2. |
The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. |
| CCI-001896 |
The organization enforces dual authorization for movement and/or deletion of organization-defined audit information. |
The organization conducting the inspection/assessment examines the information system to ensure that the organization being inspected/assessed has configured the information system to enforce dual authorization for movement and/or deletion of audit information defined in AU-9 (5), CCI 1895.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1896. |
The organization being inspected/assessed configures the information system to enforce dual authorization for movement and/or deletion of audit information defined in AU-9 (5), CCI 1895.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1896. |
Protection Of Audit Information | Dual Authorization |
AU-9 (5) |
AU-9(5).2 |
Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms require the approval of two authorized individuals in order to execute. Dual authorization may also be known as two-person control. Related controls: AC-3, MP-2. |
The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. |
| CCI-001897 |
The organization defines the subset of privileged users who will be authorized read-only access to audit information. |
The organization conducting the inspection/assessment obtains and examines the subset of privileged users who will be authorized read-only access to audit information, to ensure the organization being inspected/assessed defines and documents subset of privileged users who will be authorized read-only access to audit information.
DoD has determined that the subset of privileged users is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the subset of privileged users who will be authorized read-only access to audit information.
DoD has determined that the subset of privileged users is not appropriate to define at the Enterprise level. |
Protection Of Audit Information | Read Only Access |
AU-9 (6) |
AU-9(6).1 |
Restricting privileged user authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users (e.g., deleting audit records to cover up malicious activity). |
The organization authorizes read only access to audit information to [Assignment: organization-defined subset of privileged users]. |
| CCI-001898 |
The organization authorizes read-only access to audit information to an organization-defined subset of privileged users. |
The organization conducting the inspection/assessment obtains and examines the documentation of read only access authorizations for audit information to ensure only the subset of privileged users defined in AU-9 (6), CCI 1897 have been granted access authorization. |
The organization being inspected/assessed authorizes read only access to audit information to only the subset of privileged users defined in AU-9 (6), CCI 1897. |
Protection Of Audit Information | Read Only Access |
AU-9 (6) |
AU-9(6).2 |
Restricting privileged user authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users (e.g., deleting audit records to cover up malicious activity). |
The organization authorizes read only access to audit information to [Assignment: organization-defined subset of privileged users]. |
| CCI-001899 |
The organization defines the actions to be covered by non-repudiation. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the actions to be covered by non-repudiation as actions defined by DoDI 8520.02 and DoDI 8520.03.
|
DoD has defined the actions to be covered by non-repudiation as actions defined by DoDI 8520.02 and DoDI 8520.03. |
Non-Repudiation |
AU-10 |
AU-10.2 |
Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts). Related controls: SC-12, SC-8, SC-13, SC-16, SC-17, SC-23. |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. |
| CCI-001900 |
The organization defines the strength of binding to be applied to the binding of the identity of the information producer with the information. |
The organization conducting the inspection/assessment obtains and examines the documented strength of binding to ensure the organization being inspected/assessed defines the strength of binding and where within the information system it has been implemented, to be applied to the binding of the identity of the information producer with the information.
DoD has determined that the strength of binding is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the strength of binding and where within the information system it has been implemented, to be applied to the binding of the identity of the information producer with the information.
DoD has determined that the strength of binding is not appropriate to define at the Enterprise level. |
Non-Repudiation | Association Of Identities |
AU-10 (1) |
AU-10(1).1 |
This control enhancement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors. Related controls: AC-4, AC-16. |
The information system:
(a) Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and
(b) Provides the means for authorized individuals to determine the identity of the producer of the information. |
| CCI-001901 |
The information system binds the identity of the information producer with the information to an organization-defined strength of binding. |
The organization conducting the inspection/assessment examines the information system to ensure the producer identity is bound to the information with the strength of binding defined in AU-10 (1) CCI 1900.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1901. |
The organization being inspected/assessed configures the information system to bind the identify of the information producer with the information with the strength of binding defined in AU-10 (1) CCI 1900.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1901. |
Non-Repudiation | Association Of Identities |
AU-10 (1) |
AU-10(1).2 |
This control enhancement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors. Related controls: AC-4, AC-16. |
The information system:
(a) Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and
(b) Provides the means for authorized individuals to determine the identity of the producer of the information. |
| CCI-001902 |
The information system provides the means for authorized individuals to determine the identity of the producer of the information. |
The organization conducting the inspection/assessment examines the information system to ensure authorized individuals are able to determine the identity of the producer of the information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1902. |
The organization being inspected/assessed configures the information system to provide a means for authorized individuals to determine the identity of the producer of the information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1902. |
Non-Repudiation | Association Of Identities |
AU-10 (1) |
AU-10(1).3 |
This control enhancement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors. Related controls: AC-4, AC-16. |
The information system:
(a) Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and
(b) Provides the means for authorized individuals to determine the identity of the producer of the information. |
| CCI-001903 |
The organization defines the frequency on which the information system is to validate the binding of the information producer identity to the information. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access. |
DoD has defined the frequency as according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access. |
Non-Repudiation | Validate Binding Of Information Producer Identity |
AU-10 (2) |
AU-10(2).1 |
This control enhancement prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically. Related controls: AC-3, AC-4, AC-16. |
The information system:
(a) Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001904 |
The information system validates the binding of the information producer identity to the information at an organization-defined frequency. |
The organization conducting the inspection/assessment examines the information system to ensure the information system is configured to validate the binding of the information producer identity to the information according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1904.
DoD has defined the frequency as according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access. |
The organization being inspected/assessed configures the information system to validate the binding of the information producer identity to the information according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1904.
DoD has defined the frequency as according to the tool's capability frequency, but at a minimum, upon first access or hourly in cases of continued access. |
Non-Repudiation | Validate Binding Of Information Producer Identity |
AU-10 (2) |
AU-10(2).2 |
This control enhancement prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically. Related controls: AC-3, AC-4, AC-16. |
The information system:
(a) Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001905 |
The organization defines the actions to be performed in the event of an error when validating the binding of the information producer identity to the information. |
The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed defines the actions to be performed in the event of an error when validating the binding of the information producer identity to the information.
DoD has determined the actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the actions to be performed in the event of an error when validating the binding of the information producer identity to the information.
The organization should consider the system's environment and impact of the errors when defining the actions.
Examples of actions include automated notification to administrators, halt system process or read action
DoD has determined the actions are not appropriate to define at the Enterprise level. |
Non-Repudiation | Validate Binding Of Information Producer Identity |
AU-10 (2) |
AU-10(2).3 |
This control enhancement prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically. Related controls: AC-3, AC-4, AC-16. |
The information system:
(a) Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001906 |
The information system performs organization-defined actions in the event of an error when validating the binding of the information producer identity to the information. |
The organization conducting the inspection/assessment examines the information system to ensure the information system is configured to perform the actions defined in AU-10 (2), CCI 1905 in the event of an error when validating the binding of the information producer identity to the information.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1906. |
The organization being inspected/assessed configures the information system to perform the actions defined in AU-10 (2), CCI 1905 in the event of an error when validating the binding of the information producer identity to the information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1906. |
Non-Repudiation | Validate Binding Of Information Producer Identity |
AU-10 (2) |
AU-10(2).4 |
This control enhancement prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically. Related controls: AC-3, AC-4, AC-16. |
The information system:
(a) Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001907 |
The organization defines the security domains which will require the information system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer. |
The organization conducting the inspection/assessment obtains and examines the documented security domains to ensure the organization being inspected/assessed defines the security domains which require the information system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer.
DoD has determined the security domains are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security domains which require the information system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer.
DoD has determined the security domains are not appropriate to define at the Enterprise level.
Note: Security domain as defined by CNSSI 4009. |
Non-Repudiation | Validate Binding Of Information Reviewer Identity |
AU-10 (4) |
AU-10(4).2 |
This control enhancement prevents the modification of information between review and transfer/release. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine validations are in response to user requests or generated automatically. Related controls: AC-4, AC-16. |
The information system:
(a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001908 |
The organization defines the action the information system is to perform in the event of an information reviewer identity binding validation error. |
The organization conducting the inspection/assessment obtains and examines the documented actions to ensure the organization being inspected/assessed defines the actions the information system is to perform in the event of a information reviewer identity binding validation error. At a minimum, the actions must include alerting the data/information owner of a validation error on a reviewers identity.
DoD has determined that all actions are not appropriate to define at the Enterprise level. At a minimum, the actions must include alerting the data/information owner of a validation error on a reviewers identity. |
The organization being inspected/assessed defines and documents the actions the information system is to perform in the event of a information reviewer identity binding validation error. At a minimum, the actions must include alerting the data/information owner of a validation error on a reviewers identity.
DoD has determined that all actions are not appropriate to define at the Enterprise level. At a minimum, the actions must include alerting the data/information owner of a validation error on a reviewers identity. |
Non-Repudiation | Validate Binding Of Information Reviewer Identity |
AU-10 (4) |
AU-10(4).3 |
This control enhancement prevents the modification of information between review and transfer/release. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine validations are in response to user requests or generated automatically. Related controls: AC-4, AC-16. |
The information system:
(a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-001909 |
The information system performs organization-defined actions in the event of an information reviewer identity binding validation error. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to perform actions defined in AU-10 (4), CCI 1908 in the event of an information reviewer identity binding validation error.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1909. |
The organization being inspected/assessed configures the information system to perform actions defined in AU-10 (4), CCI 1908 in the event of an information reviewer identity binding validation error.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1909. |
Non-Repudiation | Validate Binding Of Information Reviewer Identity |
AU-10 (4) |
AU-10(4).4 |
This control enhancement prevents the modification of information between review and transfer/release. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine validations are in response to user requests or generated automatically. Related controls: AC-4, AC-16. |
The information system:
(a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and
(b) Performs [Assignment: organization-defined actions] in the event of a validation error. |
| CCI-002044 |
The organization defines measures to be employed to ensure that long-term audit records generated by the information system can be retrieved. |
The organization conducting the inspection/assessment obtains and examines the documented measures to ensure the organization being inspected/assessed defines measures to be employed to ensure that long-term audit records generated by the information system can be retrieved.
DoD has determined that the measures are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents measures to be employed to ensure that long-term audit records generated by the information system can be retrieved.
DoD has determined that the measures are not appropriate to define at the Enterprise level. |
Audit Record Retention | Long-Term Retrieval Capability |
AU-11 (1) |
AU-11(1).1 |
Measures employed by organizations to help facilitate the retrieval of audit records include, for example, converting records to newer formats, retaining equipment capable of reading the records, and retaining necessary documentation to help organizational personnel understand how to interpret the records. |
The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved. |
| CCI-002045 |
The organization employs organization-defined measures to ensure that long-term audit records generated by the information system can be retrieved. |
The organization conducting the inspection/assessment obtains and examines the documented measures to ensure the organization being inspected/assessed employs the measures defined in AU-11 (1), CCI 2044 to ensure that long-term audit records generated by the information system can be retrieved. |
The organization being inspected/assessed employs the measures defined in AU-11 (1), CCI 2044 to ensure that long-term audit records generated by the information system can be retrieved. |
Audit Record Retention | Long-Term Retrieval Capability |
AU-11 (1) |
AU-11(1).2 |
Measures employed by organizations to help facilitate the retrieval of audit records include, for example, converting records to newer formats, retaining equipment capable of reading the records, and retaining necessary documentation to help organizational personnel understand how to interpret the records. |
The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved. |
| CCI-001910 |
The organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSM or individuals appointed by the ISSM. |
DoD has defined the personnel or roles as the ISSM or individuals appointed by the ISSM. |
Audit Generation |
AU-12 |
AU-12.4 |
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. |
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the audited events defined in AU-2 with the content defined in AU-3. |
| CCI-001911 |
The organization defines the selectable event criteria to be used as the basis for changes to the auditing to be performed on organization-defined information system components, by organization-defined individuals or roles, within organization-defined time thresholds. |
The organization conducting the inspection/assessment obtains and examines the documented selectable event criteria to ensure the organization being inspected/assessed defines the selectable event criteria for which changed auditing is to be performed.
DoD has determined the selectable event criteria is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the selectable event criteria for which changed auditing is to be performed.
DoD has determined the selectable event criteria is not appropriate to define at the Enterprise level. |
Audit Generation | Changes By Authorized Individuals |
AU-12 (3) |
AU-12(3).1 |
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. |
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
| CCI-001912 |
The organization defines the time thresholds for organization-defined individuals or roles to change the auditing to be performed based on organization-defined selectable event criteria. |
The organization conducting the inspection/assessment obtains and examines the documented time thresholds to ensure the organization being inspected/assessed defines the time thresholds for individuals or roles to change the auditing to be performed on information system components based on selectable event criteria defined in AU-12 (3), CCI 1911 occurs.
DoD has determined the time thresholds are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the time thresholds for individuals or roles to change the auditing to be performed on information system components based on selectable event criteria defined in AU-12 (3), CCI 1911 occurs.
DoD has determined the time thresholds are not appropriate to define at the Enterprise level. |
Audit Generation | Changes By Authorized Individuals |
AU-12 (3) |
AU-12(3).2 |
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. |
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
| CCI-001913 |
The organization defines the individuals or roles that are to be provided the capability to change the auditing to be performed based on organization-defined selectable event criteria, within organization-defined time thresholds. |
The organization conducting the inspection/assessment obtains and examines the documented individuals or roles to ensure the organization being inspected/assessed defines the individuals or roles that are to be provided the capability to change the auditing to be performed based on the selectable event criteria defined in AU-12 (3), CCI 1911, within the time thresholds defined in AU-12 (3), CCI 1912.
DoD has determined that the individuals or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the individuals or roles that are to be provided the capability to change the auditing to be performed based on the selectable event criteria defined in AU-12 (3), CCI 1911, within the time thresholds defined in AU-12 (3), CCI 1912.
DoD has determined that the individuals or roles are not appropriate to define at the Enterprise level. |
Audit Generation | Changes By Authorized Individuals |
AU-12 (3) |
AU-12(3).3 |
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. |
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
| CCI-001914 |
The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for individuals or roles defined in AU-12 (3), CCI 1913 to change the auditing to be performed on information system components defined in AU-12 (3), CCI 2047 based on selectable event criteria defined in AU-12 (3), CCI 1911 within time thresholds defined in AU-12 (3), CCI 1912.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1914. |
The organization being inspected/assessed configures the information system to provide the capability for individuals or roles defined in AU-12 (3), CCI 1913 to change the auditing to be performed on information system components defined in AU-12 (3), CCI 2047 based on selectable event criteria defined in AU-12 (3), CCI 1911 within time thresholds defined in AU-12 (3), CCI 1912.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1914. |
Audit Generation | Changes By Authorized Individuals |
AU-12 (3) |
AU-12(3).4 |
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. |
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
| CCI-002047 |
The organization defines the information system components on which the auditing that is to be performed can be changed by organization-defined individuals or roles. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed has defined the information system components on which the auditing that is to be performed can be changed by the individuals or roles defined in AU-12 (3), CCI 1913.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components on which the auditing that is to be performed can be changed by individuals or roles defined in AU-12 (3), CCI 1913.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Audit Generation | Changes By Authorized Individuals |
AU-12 (3) |
AU-12(3).5 |
This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. |
The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
| CCI-001915 |
The organization defines the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information. |
The organization conducting the inspection/assessment obtains and examines the documented open source information and/or information sites to ensure the organization being inspected/assessed defines the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information.
DoD has determined that open source information and/or information sites should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
The organization being inspected/assessed defines and documents the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information.
DoD has determined that open source information and/or information sites should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
Monitoring For Information Disclosure |
AU-13 |
AU-13.3 |
Open source information includes, for example, social networking sites. Related controls: PE-3, SC-7. |
The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information. |
| CCI-001916 |
The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner. |
The organization conducting the inspection/assessment obtains and examines documentation of the use of the identified automated mechanisms to ensure that the identified system determines if organizational information has been disclosed in an unauthorized manner.
The organization being inspected/assessed may be required to demonstrate use of their identified automated mechanisms. |
The organization being inspected/assessed documents and employs an automated mechanism to determine if organizational information has been disclosed in an unauthorized manner. |
Monitoring For Information Disclosure | Use Of Automated Tools |
AU-13 (1) |
AU-13(1).1 |
Automated mechanisms can include, for example, automated scripts to monitor new posts on selected websites, and commercial services providing notifications and alerts to organizations. |
The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner. |
| CCI-001917 |
The organization defines the frequency for reviewing the open source information sites being monitored. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency for reviewing the open source information sites being monitored.
DoD has determined that the frequency should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
The organization being inspected/assessed defines and documents the frequency for reviewing the open source information sites being monitored.
DoD has determined that the frequency should be defined at the Component level, not appropriate to define at the Enterprise level. Note: The value in this control may not be used to deny reciprocal acceptance of a C&A (A&A) package. |
Monitoring For Information Disclosure | Review Of Monitored Sites |
AU-13 (2) |
AU-13(2).1 |
|
The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency]. |
| CCI-001918 |
The organization reviews the open source information sites being monitored per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed reviews the open source information sites being monitored per the frequency defined in AU-13 (2), CCI 1917. |
The organization being inspected/assessed documents and implements a process to review the open source information sites being monitored per the frequency defined in AU-13 (2), CCI 1917. |
Monitoring For Information Disclosure | Review Of Monitored Sites |
AU-13 (2) |
AU-13(2).2 |
|
The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency]. |
| CCI-001919 |
The information system provides the capability for authorized users to select a user session to capture/record or view/hear. |
The organization conducting the inspection/assessments examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for authorized users to select a user session to capture/record or view/hear.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1919. |
The organization being inspected/assessed configures the information system to provide the capability for authorized users to select a user session to capture/record or view/hear.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1919. |
Session Audit |
AU-14 |
AU-14.1 |
Session audits include, for example, monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, or standards. Related controls: AC-3, AU-4, AU-5, AU-9, AU-11. |
The information system provides the capability for authorized users to select a user session to capture/record or view/hear. |
| CCI-001920 |
The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability for authorized users to remotely view/hear all content related to an established user session in real time.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1920. |
The organization being inspected/assessed configures the information system to provide the capability for authorized users to remotely view/hear all content related to an established user session in real time.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1920. |
Session Audit | Remote Viewing / Listening |
AU-14 (3) |
AU-14(3).1 |
|
The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time. |
| CCI-001921 |
The organization defines the alternative audit functionality to be provided in the event of a failure in the primary audit capability. |
The organization conducting the inspection/assessment obtains and examines the documented alternative audit functionality to ensure the organization being inspected/assessed has defined the alternative audit functionality to be provided in the event of a failure in the primary audit capability.
DoD has determined that the actions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed will define and document the alternative audit functionality to be provided in the event of a failure in the primary audit capability. The organization shall consider trade-offs between the needs for system availability and audit integrity when defining the actions.
Unless availability is an overriding concern, the default action should be to shut down the information system.
DoD has determined that the actions are not appropriate to define at the Enterprise level. |
Alternate Audit Capability |
AU-15 |
AU-15.1 |
Since an alternate audit capability may be a short-term protection employed until the failure in the primary auditing capability is corrected, organizations may determine that the alternate audit capability need only provide a subset of the primary audit functionality that is impacted by the failure. Related control: AU-5. |
The organization provides an alternative audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality]. |
| CCI-001922 |
The organization provides an alternative audit capability in the event of a failure in primary audit capability that provides organization-defined alternative audit functionality. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement an alternative audit capability in the event of a failure in primary audit capability that provides the alternative audit functionality defined in AU-15, CCI 1921.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1922. |
The organization being inspected/assessed configures the information system to implement an alternative audit capability in the event of a failure in primary audit capability that provides the alternative audit functionality defined in AU-15, CCI 1921.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1922. |
Alternate Audit Capability |
AU-15 |
AU-15.2 |
Since an alternate audit capability may be a short-term protection employed until the failure in the primary auditing capability is corrected, organizations may determine that the alternate audit capability need only provide a subset of the primary audit functionality that is impacted by the failure. Related control: AU-5. |
The organization provides an alternative audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality]. |
| CCI-001923 |
The organization defines the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries. |
The organization conducting the inspection/assessment obtains and examines the documented audit information to ensure the organization being inspected/assessed defines the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries.
DoD has determined the methods are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries.
DoD has determined the methods are not appropriate to define at the Enterprise level. |
Cross-Organizational Auditing |
AU-16 |
AU-16.1 |
When organizations use information systems and/or services of external organizations, the auditing capability necessitates a coordinated approach across organizations. For example, maintaining the identity of individuals that requested particular services across organizational boundaries may often be very difficult, and doing so may prove to have significant performance ramifications. Therefore, it is often the case that cross-organizational auditing (e.g., the type of auditing capability provided by service-oriented architectures) simply captures the identity of individuals issuing requests at the initial information system, and subsequent systems record that the requests emanated from authorized individuals. Related control: AU-6. |
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. |
| CCI-001924 |
The organization defines the methods to be employed when coordinating audit information among external organizations when audit information is transmitted across organizational boundaries. |
The organization conducting the inspection/assessment obtains and examines the documented methods to ensure the organization being inspected/assessed defines the methods to be employed when coordinating audit information among external organizations when audit information is transmitted across organizational boundaries.
DoD has determined the methods are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the methods to be employed when coordinating audit information among external organizations when audit information is transmitted across organizational boundaries.
DoD has determined the methods are not appropriate to define at the Enterprise level. |
Cross-Organizational Auditing |
AU-16 |
AU-16.2 |
When organizations use information systems and/or services of external organizations, the auditing capability necessitates a coordinated approach across organizations. For example, maintaining the identity of individuals that requested particular services across organizational boundaries may often be very difficult, and doing so may prove to have significant performance ramifications. Therefore, it is often the case that cross-organizational auditing (e.g., the type of auditing capability provided by service-oriented architectures) simply captures the identity of individuals issuing requests at the initial information system, and subsequent systems record that the requests emanated from authorized individuals. Related control: AU-6. |
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. |
| CCI-001925 |
The organization employs organization-defined methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs a process to employ the methods defined in AU-16, CCI 1924 for coordinating audit information defined in AU-16, CCI 1923 among external organizations when audit information is transmitted across organizational boundaries. |
The organization being inspected/assessed documents and implements a process to employ the methods defined in AU-16, CCI 1924 for coordinating audit information defined in AU-16, CCI 1923 among external organizations when audit information is transmitted across organizational boundaries. |
Cross-Organizational Auditing |
AU-16 |
AU-16.3 |
When organizations use information systems and/or services of external organizations, the auditing capability necessitates a coordinated approach across organizations. For example, maintaining the identity of individuals that requested particular services across organizational boundaries may often be very difficult, and doing so may prove to have significant performance ramifications. Therefore, it is often the case that cross-organizational auditing (e.g., the type of auditing capability provided by service-oriented architectures) simply captures the identity of individuals issuing requests at the initial information system, and subsequent systems record that the requests emanated from authorized individuals. Related control: AU-6. |
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. |
| CCI-001926 |
The organization requires that the identity of individuals be preserved in cross-organizational audit trails. |
The organization conducting the inspection/assessment obtains and examines a sampling of cross organizational audit trails to ensure that the identify of individuals conducting audited actions is preserved. |
The organization being inspected/assessed implements a process to ensure that the identity of individuals be preserved in cross organizational audit trails. |
Cross-Organizational Auditing | Identity Preservation |
AU-16 (1) |
AU-16(1).1 |
This control enhancement applies when there is a need to be able to trace actions that are performed across organizational boundaries to a specific individual. |
The organization requires that the identity of individuals be preserved in cross organizational audit trails. |
| CCI-001927 |
The organization defines the organizations that will be provided cross-organizational audit information. |
The organization conducting the inspection/assessment obtains and examines the documented organizations to ensure the organization being inspected/assessed defines the organizations that will be provided cross-organizational audit information.
DoD has determined the cross-organizational sharing agreements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the organizations that will be provided cross-organizational audit information.
DoD has determined the cross-organizational sharing agreements are not appropriate to define at the Enterprise level. |
Cross-Organizational Auditing | Sharing Of Audit Information |
AU-16 (2) |
AU-16(2).1 |
Because of the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only the home organizations of individuals have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations. |
The organization provides cross-organizational audit information to [Assignment: organization defined organizations] based on [Assignment: organization-defined cross organizational sharing agreements]. |
| CCI-001928 |
The organization defines the cross-organizational sharing agreements to be established with organization-defined organizations authorized to be provided cross-organizational sharing of audit information. |
The organization conducting the inspection/assessment obtains and examines the documented sharing agreements to ensure the organization being inspected/assessed defines the cross-organizational sharing agreements to be established with organizations defined in AU-16 (2), CCI 1927 authorized to be provided cross-organizational sharing of audit information.
DoD has determined the cross-organizational sharing agreements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the cross-organizational sharing agreements to be established with organizations defined in AU-16 (2), CCI 1927 authorized to be provided cross-organizational sharing of audit information.
DoD has determined the cross-organizational sharing agreements are not appropriate to define at the Enterprise level. |
Cross-Organizational Auditing | Sharing Of Audit Information |
AU-16 (2) |
AU-16(2).2 |
Because of the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only the home organizations of individuals have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations. |
The organization provides cross-organizational audit information to [Assignment: organization defined organizations] based on [Assignment: organization-defined cross organizational sharing agreements]. |
| CCI-001929 |
The organization provides cross-organizational audit information to organization-defined organizations based on organization-defined cross organizational sharing agreements. |
The organization conducting the inspection/assessment obtains and examines the audit information that provides cross-organizational audit information to organizations defined in AU-16 (2), CCI 1927 based on cross organizational sharing agreements defined in AU-16 (2), CCI 1928. |
The organization being inspected/assessed provides cross-organizational audit information to organizations defined in AU-16 (2), CCI 1927 based on cross organizational sharing agreements defined in AU-16 (2), CCI 1928. |
Cross-Organizational Auditing | Sharing Of Audit Information |
AU-16 (2) |
AU-16(2).3 |
Because of the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only the home organizations of individuals have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations. |
The organization provides cross-organizational audit information to [Assignment: organization defined organizations] based on [Assignment: organization-defined cross organizational sharing agreements]. |
| CCI-002060 |
The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
|
|
|
|
|
|
|
| CCI-002061 |
The organization defines the personnel or roles to whom security assessment and authorization policy is to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all personnel. |
DoD has defined the personnel or roles as all personnel.
DoD disseminates DoDI 8510.01 organization-wide via the DoD Issuances website.
http://www.dtic.mil/whs/directives/corres/ins1.html |
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-002062 |
The organization defines the personnel or roles to whom the security assessment and authorization procedures are to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all personnel. |
DoD has defined the personnel or roles as all personnel.
|
Security Assessment And Authorization Policy And Procedures |
CA-1 |
CA-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. |
| CCI-002063 |
The organization defines the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the documented level of independence to ensure the organization being inspected/assessed defines the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems.
DoD has determined the level of independence is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems.
DoD has determined the level of independence is not appropriate to define at the Enterprise level. |
Security Assessments | Independent Assessors |
CA-2 (1) |
CA-2(1).2 |
Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments. |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments. |
| CCI-002064 |
The organization selects one or more security assessment techniques to be conducted. |
The organization conducting the inspection/assessment obtains and examines the selected list of assessment techniques that are to be conducted to ensure the selections have been documented. |
The organization being inspected/assessed selects and documents one or more security assessment techniques to be conducted. Techniques include in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing, as well as any other techniques identified in CA-2 (2), CCI 1582.
DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level. |
Security Assessments | Specialized Assessments |
CA-2 (2) |
CA-2(2).4 |
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. |
| CCI-002065 |
The organization defines the frequency at which to conduct security control assessments. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
Security Assessments | Specialized Assessments |
CA-2 (2) |
CA-2(2).5 |
Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. |
| CCI-002066 |
The organization accepts the results of an assessment of the organization-defined information system performed by an organization-defined external organization when the assessment meets organization-defined requirements. |
The organization conducting the inspection/assessment obtains and examines a sampling of records of acceptance or rejection of external organization assessment results to ensure the organization being inspected/assessed accepts the results of an assessment of the information system defined in CA-2 (3), CCI 2067 performed by external organization defined in CA-2 (3), CCI 2068 when the assessment meets requirements defined in CA-2 (3), CCI 2069. |
The organization being inspected/assessed accepts the results of an assessment of the information system defined in CA-2 (3), CCI 2067 performed by external organization defined in CA-2 (3), CCI 2068 when the assessment meets requirements defined in CA-2 (3), CCI 2069.
The organization must maintain records of acceptance or rejection of external organization assessment results. |
Security Assessments | External Organizations |
CA-2 (3) |
CA-2(3).1 |
Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. |
| CCI-002067 |
The organization defines the information systems for which they will accept the results of an assessment performed by an external organization. |
The organization conducting the inspection/assessment obtains and examines the documented information systems to ensure the organization being inspected/assessed defines the information systems for which they will accept the results of an assessment performed by an external organization.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems for which they will accept the results of an assessment performed by an external organization.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
Security Assessments | External Organizations |
CA-2 (3) |
CA-2(3).2 |
Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. |
| CCI-002068 |
The organization defines the external organizations from which assessment results for organization-defined information systems will be accepted. |
The organization conducting the inspection/assessment obtains and examines the documented external organizations to ensure the organization being inspected/assessed defines the external organizations from which assessment results for organization-defined information systems will be accepted.
DoD has determined the external organizations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the external organizations from which assessment results for organization-defined information systems will be accepted.
DoD has determined the external organizations are not appropriate to define at the Enterprise level. |
Security Assessments | External Organizations |
CA-2 (3) |
CA-2(3).3 |
Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. |
| CCI-002069 |
The organization defines the requirements the assessments for organization-defined information systems from organization-defined external organizations must meet. |
The organization conducting the inspection/assessment obtains and examine the documented requirements to ensure the organization being inspected/assessed defines the requirements the assessments for organization-defined information systems from organization-defined external organizations must meet.
DoD has determined the requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the requirements the assessments for organization-defined information systems from organization-defined external organizations must meet.
DoD has determined the requirements are not appropriate to define at the Enterprise level. |
Security Assessments | External Organizations |
CA-2 (3) |
CA-2(3).4 |
Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. |
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. |
| CCI-002070 |
The organization^s security assessment plan describes the assessment team, and assessment roles and responsibilities. |
The organization conducting the inspection/assessment obtains and examines the security assessment plan to ensure the organization being inspected/assessed lists their assessment team members and their associated assessment roles and responsibilities in the security assessment plan. |
The organization being inspected/assessed lists their assessment team members and their associated assessment roles and responsibilities in the security assessment plan. |
Security Assessments |
CA-2 |
CA-2.5 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-002071 |
The organization defines the individuals or roles to whom the results of the security control assessment are to be provided. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM. |
DoD has defined the individuals or roles as at a minimum, the ISSO and ISSM. |
Security Assessments |
CA-2 |
CA-2.10 |
Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. |
| CCI-002072 |
The organization defines the unclassified, national security systems that are prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the unclassified, national security systems as all unclassified NSS. |
DoD has defined the unclassified, national security systems as all unclassified NSS. |
System Interconnections | Unclassified National Security System Connections |
CA-3 (1) |
CA-3(1).2 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. |
| CCI-002073 |
The organization defines the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network. |
The organization conducting the inspection/assessment obtains and examines the documented boundary protection device to ensure the organization being inspected/assessed defines the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
System Interconnections | Unclassified National Security System Connections |
CA-3 (1) |
CA-3(1).3 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. |
| CCI-002074 |
The organization defines the boundary protection device to be used for the direct connection of classified, national security system to an external network. |
The organization conducting the inspection/assessment obtains and examines the documented boundary protection device to ensure the organization being inspected/assessed defines the boundary protection device to be used for the direct connection of classified, national security system to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the boundary protection device to be used for the direct connection of classified, national security system to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
System Interconnections | Classified National Security System Connections |
CA-3 (2) |
CA-3(2).2 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface/cross-domain systems) provide information flow enforcement from information systems to external networks. |
The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment; organization-defined boundary protection device]. |
| CCI-002075 |
The organization prohibits the direct connection of an organization-defined unclassified, non-national security system to an external network without the use of organization-defined boundary protection device. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams and examines the information system to ensure the organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3 (3), CCI 2077. |
The organization being inspected/assessed does not connect any national security systems to an external network without the use of protection devices defined in CA-3 (3), CCI 2077. |
System Interconnections | Unclassified Non-National Security System Connections |
CA-3 (3) |
CA-3(3).1 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. |
| CCI-002076 |
The organization defines the unclassified, non-national security system that is prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device. |
The organization conducting the inspection/assessment obtains and examines the documented unclassified, non-national security system to ensure the organization being inspected/assessed defines the unclassified, non-national security system that is prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.
DoD has determined the unclassified, non-national security system is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the unclassified, non-national security system that is prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.
DoD has determined the unclassified, non-national security system is not appropriate to define at the Enterprise level. |
System Interconnections | Unclassified Non-National Security System Connections |
CA-3 (3) |
CA-3(3).2 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. |
| CCI-002077 |
The organization defines the boundary protection device to be used to directly connect an organization-defined unclassified, non-national security system to an external network. |
The organization conducting the inspection/assessment obtains and examines the documented boundary protection device to ensure the organization being inspected/assessed defines the boundary protection device to be used to directly connect an organization-defined unclassified, non-national security system to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the boundary protection device to be used to directly connect an organization-defined unclassified, non-national security system to an external network.
DoD has determined the boundary protection device is not appropriate to define at the Enterprise level. |
System Interconnections | Unclassified Non-National Security System Connections |
CA-3 (3) |
CA-3(3).3 |
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. |
| CCI-002078 |
The organization prohibits the direct connection of an organization-defined information system to a public network. |
The organization conducting the inspection/assessment obtains and examines network topology diagrams and examines the information system to ensure the organization being inspected/assessed does not connect any information system defined in CA-3 (4), CCI 2079 to a public network. |
The organization being inspected/assessed does not connect any information system defined in CA-3 (4), CCI 2079 to a public network. |
System Interconnections | Connections To Public Networks |
CA-3 (4) |
CA-3(4).1 |
A public network is any network accessible to the general public including, for example, the Internet and organizational extranets with public access. |
The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network. |
| CCI-002079 |
The organization defines the information system that is prohibited from directly connecting to a public network. |
The organization conducting the inspection/assessment obtains and examines the documented information system to ensure the organization being inspected/assessed defines the information system that is prohibited from directly connecting to a public network.
DoD has determined the information system is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system that is prohibited from directly connecting to a public network.
DoD has determined the information system is not appropriate to define at the Enterprise level. |
System Interconnections | Connections To Public Networks |
CA-3 (4) |
CA-3(4).2 |
A public network is any network accessible to the general public including, for example, the Internet and organizational extranets with public access. |
The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network. |
| CCI-002080 |
The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ a deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2080.
DoD has defined the information systems as any systems requiring external connectivity. |
The organization being inspected/assessed configures the information system to employ a deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2080.
DoD has defined the information systems as any systems requiring external connectivity. |
System Interconnections | Restrictions On External System Connections |
CA-3 (5) |
CA-3(5).1 |
Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. |
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems. |
| CCI-002081 |
The organization defines the information systems that employ either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing connections to external information systems. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information systems as any systems requiring external connectivity. |
DoD has defined the information systems as any systems requiring external connectivity. |
System Interconnections | Restrictions On External System Connections |
CA-3 (5) |
CA-3(5).2 |
Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. |
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems. |
| CCI-002082 |
The organization selects either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed selects deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems.
DoD has defined the information systems as any systems requiring external connectivity. |
The organization being inspected/assessed selects deny-all, permit by exception policy for allowing any systems requiring external connectivity to connect to external information systems.
DoD has defined the information systems as any systems requiring external connectivity. |
System Interconnections | Restrictions On External System Connections |
CA-3 (5) |
CA-3(5).3 |
Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. |
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems. |
| CCI-002083 |
The organization reviews and updates Interconnection Security Agreements on an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates Interconnection Security Agreements at least annually.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed reviews and updates Interconnection Security Agreements at least annually.
The organization must maintain an audit trail of reviews and updates.
DoD has defined the frequency as at least annually. |
System Interconnections |
CA-3 |
CA-3.5 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-002084 |
The organization defines the frequency at which reviews and updates to the Interconnection Security Agreements must be conducted. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
System Interconnections |
CA-3 |
CA-3.6 |
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. |
| CCI-002085 |
The organization defines the level of independence the assessors or assessment teams must have to monitor the security controls in the information system on an ongoing basis. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring | Independent Assessment |
CA-7 (1) |
CA-7(1).2 |
Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services. |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis. |
| CCI-002086 |
The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring | Trend Analyses |
CA-7 (3) |
CA-7(3).1 |
Trend analyses can include, for example, examining recent threat information regarding the types of threat events that have occurred within the organization or across the federal government, success rates of certain types of cyber attacks, emerging vulnerabilities in information technologies, evolving social engineering techniques, results from multiple security control assessments, the effectiveness of configuration settings, and findings from Inspectors General or auditors. |
The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data. |
| CCI-002087 |
The organization establishes and defines the metrics to be monitored for the continuous monitoring program. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.2 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002088 |
The organization establishes and defines the frequencies for continuous monitoring. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.3 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002089 |
The organization establishes and defines the frequencies for assessments supporting continuous monitoring. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.4 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002090 |
The organization implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.6 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002091 |
The organization implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.7 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002092 |
The organization implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. |
Future DoD-wide CM guidance to be published |
Future DoD-wide CM guidance to be published |
Continuous Monitoring |
CA-7 |
CA-7.8 |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4. |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
| CCI-002093 |
The organization conducts penetration testing in accordance with organization-defined frequency on organization-defined information systems or system components. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as a sampling of the penetration test results to ensure the organization being inspected/assessed conducts penetration testing in accordance with the frequency defined in CA-8, CCI 2094 on information systems or system components defined in CA-8, CCI 2095. |
The organization being inspected/assessed documents and implements a process to conduct penetration testing in accordance with the frequency defined in CA-8, CCI 2094 on information systems or system components defined in CA-8, CCI 2095.
The organization must maintain a record of penetration test results. |
Penetration Testing |
CA-8 |
CA-8.1 |
Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing. Related control: SA-12. |
The organization conducts penetration testing [Assignment:organization-defined frequency] on [Assignment: organization-defined information systems or system components]. |
| CCI-002094 |
The organization defines the frequency for conducting penetration testing on organization-defined information systems or system components. |
The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency for conducting penetration testing on organization-defined information systems or system components.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the frequency for conducting penetration testing on organization-defined information systems or system components.
DoD has determined the frequency is not appropriate to define at the Enterprise level. |
Penetration Testing |
CA-8 |
CA-8.2 |
Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing. Related control: SA-12. |
The organization conducts penetration testing [Assignment:organization-defined frequency] on [Assignment: organization-defined information systems or system components]. |
| CCI-002095 |
The organization defines the information systems or system components on which penetration testing will be conducted. |
The organization conducting the inspection/assessment obtains and examines the documented information systems or system components to ensure the organization being inspected/assessed defines the information systems or system components on which penetration testing will be conducted.
DoD has determined the information systems or system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems or system components on which penetration testing will be conducted.
DoD has determined the information systems or system components are not appropriate to define at the Enterprise level. |
Penetration Testing |
CA-8 |
CA-8.3 |
Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing. Related control: SA-12. |
The organization conducts penetration testing [Assignment:organization-defined frequency] on [Assignment: organization-defined information systems or system components]. |
| CCI-002096 |
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. |
The organization conducting the inspection/assessment obtains and examines a sampling of the penetration test results to ensure the organization being inspected/assessed employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. |
The organization being inspected/assessed employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
The organization must maintain a record of penetration test results. |
Penetration Testing | Independent Penetration Agent Or Team |
CA-8 (1) |
CA-8(1).1 |
Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing. Related control: CA-2. |
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. |
| CCI-002097 |
The organization defines red team exercises to simulate attempts by adversaries to compromise organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the documented red team exercises to ensure the organization being inspected/assessed defines red team exercises to simulate attempts by adversaries to compromise organizational information systems.
DoD has determined the red team exercises are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents red team exercises to simulate attempts by adversaries to compromise organizational information systems.
DoD has determined the red team exercises are not appropriate to define at the Enterprise level. |
Penetration Testing | Red Team Exercises |
CA-8 (2) |
CA-8(2).1 |
Red team exercises extend the objectives of penetration testing by examining the security posture of organizations and their ability to implement effective cyber defenses. As such, red team exercises reflect simulated adversarial attempts to compromise organizational mission/business functions and provide a comprehensive assessment of the security state of information systems and organizations. Simulated adversarial attempts to compromise organizational missions/business functions and the information systems that support those missions/functions may include technology-focused attacks (e.g., interactions with hardware, software, or firmware components and/or mission/business processes) and social engineering-based attacks (e.g., interactions via email, telephone, shoulder surfing, or personal conversations). While penetration testing may be largely laboratory-based testing, organizations use red team exercises to provide more comprehensive assessments that reflect real-world conditions. Red team exercises can be used to improve security awareness and training and to assess levels of security control effectiveness. |
The organization employs red team exercises to simulate attempts by adversaries to compromise organizational information systems. |
| CCI-002098 |
The organization defines rules of engagement for red team exercises to simulate attempts by adversaries to compromise organizational information systems. |
The organization conducting the inspection/assessment obtains and examines the documented rules of engagement to ensure the organization being inspected/assessed defines the rules of engagement for red team exercise to simulate attempts by adversaries to compromise organizational information systems.
DoD has determined the rules of engagement are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents rules of engagement for red team exercise to simulate attempts by adversaries to compromise organizational information systems.
DoD has determined the rules of engagement are not appropriate to define at the Enterprise level. |
Penetration Testing | Red Team Exercises |
CA-8 (2) |
CA-8(2).2 |
Red team exercises extend the objectives of penetration testing by examining the security posture of organizations and their ability to implement effective cyber defenses. As such, red team exercises reflect simulated adversarial attempts to compromise organizational mission/business functions and provide a comprehensive assessment of the security state of information systems and organizations. Simulated adversarial attempts to compromise organizational missions/business functions and the information systems that support those missions/functions may include technology-focused attacks (e.g., interactions with hardware, software, or firmware components and/or mission/business processes) and social engineering-based attacks (e.g., interactions via email, telephone, shoulder surfing, or personal conversations). While penetration testing may be largely laboratory-based testing, organizations use red team exercises to provide more comprehensive assessments that reflect real-world conditions. Red team exercises can be used to improve security awareness and training and to assess levels of security control effectiveness. |
The organization employs red team exercises to simulate attempts by adversaries to compromise organizational information systems. |
| CCI-002099 |
The organization employs organization-defined red team exercises to simulate attempts by adversaries to compromise organizational information systems in accordance with organization-defined rules of engagement. |
The organization conducting the inspection/assessment obtains and examines the record of red team exercises and results to ensure the organization being inspected/assessed employs red team exercises defined in CA-8 (2), CCI 2097 to simulate attempts by adversaries to compromise organizational information systems in accordance with rules of engagement defined in CA-8 (2), CCI 2098. |
The organization being inspected/assessed employs red team exercises defined in CA-8 (2), CCI 2097 to simulate attempts by adversaries to compromise organizational information systems in accordance with rules of engagement defined in CA-8 (2), CCI 2098.
The organization must maintain a record of red team exercises and results. |
Penetration Testing | Red Team Exercises |
CA-8 (2) |
CA-8(2).3 |
Red team exercises extend the objectives of penetration testing by examining the security posture of organizations and their ability to implement effective cyber defenses. As such, red team exercises reflect simulated adversarial attempts to compromise organizational mission/business functions and provide a comprehensive assessment of the security state of information systems and organizations. Simulated adversarial attempts to compromise organizational missions/business functions and the information systems that support those missions/functions may include technology-focused attacks (e.g., interactions with hardware, software, or firmware components and/or mission/business processes) and social engineering-based attacks (e.g., interactions via email, telephone, shoulder surfing, or personal conversations). While penetration testing may be largely laboratory-based testing, organizations use red team exercises to provide more comprehensive assessments that reflect real-world conditions. Red team exercises can be used to improve security awareness and training and to assess levels of security control effectiveness. |
The organization employs red team exercises to simulate attempts by adversaries to compromise organizational information systems. |
| CCI-002100 |
The information system performs security compliance checks on constituent components prior to the establishment of the internal connection. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of security compliance checks to ensure the organization being inspected/assessed performs security compliance checks on constituent components prior to the establishment of the internal connection. |
The organization being inspected/assessed documents and implements a process to perform security compliance checks on constituent components prior to the establishment of the internal connection.
The organization must maintain a record of security compliance checks. |
Internal System Connections | Security Compliance Checks |
CA-9 (1) |
CA-9(1).1 |
Security compliance checks may include, for example, verification of the relevant baseline configuration. Related controls: CM-6. |
The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection. |
| CCI-002101 |
The organization authorizes internal connections of organization-defined information system components or classes of components to the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail of authorizations to ensure the organization being inspected/assessed authorizes internal connections of information system components defined in CA-9, CCI 2102 or classes of components to the information system. |
The organization being inspected/assessed authorizes internal connections of information system components defined in CA-9, CCI 2102 or classes of components to the information system.
The organization must maintain an audit trail of authorizations. |
Internal System Connections |
CA-9 |
CA-9.1 |
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CCI-002102 |
The organization defines the information system components or classes of components that are authorized internal connections to the information system. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components or classes of components that that are authorized internal connections to the information system.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components or classes of components that that are authorized internal connections to the information system.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Internal System Connections |
CA-9 |
CA-9.2 |
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CCI-002103 |
The organization documents, for each internal connection, the interface characteristics. |
The organization conducting the inspection/assessment obtains and examines the documented interface characteristics as well as the network topology to ensure the organization being inspected/assessed documents, for each internal connection, the interface characteristics. |
The organization being inspected/assessed documents, for each internal connection, the interface characteristics. |
Internal System Connections |
CA-9 |
CA-9.3 |
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CCI-002104 |
The organization documents, for each internal connection, the security requirements. |
The organization conducting the inspection/assessment obtains and examines the documented security requirements as well as the network topology to ensure the organization being inspected/assessed documents, for each internal connection, the security requirements. |
The organization being inspected/assessed documents, for each internal connection, the security requirements. |
Internal System Connections |
CA-9 |
CA-9.4 |
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CCI-002105 |
The organization documents, for each internal connection, the nature of the information communicated. |
The organization conducting the inspection/assessment obtains and examines the documented nature of information communication as well as the network topology to ensure the organization being inspected/assessed documents, for each internal connection, the nature of the information communicated. |
The organization being inspected/assessed documents, for each internal connection, the nature of the information communicated. |
Internal System Connections |
CA-9 |
CA-9.5 |
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CCI-001820 |
The organization documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
|
|
|
|
|
|
|
| CCI-001821 |
The organization defines the organizational personnel or roles to whom the configuration management policy is to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-001822 |
The organization disseminates the configuration management policy to organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. |
The organization being inspected/assessed disseminates a configuration management policy via an information sharing capability (e.g. portal, intranet, email, etc.) to all stakeholders in the configuration management process.
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.4 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-001823 |
The organization documents the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
|
|
|
|
|
|
|
| CCI-001824 |
The organization defines the organizational personnel or roles to whom the configuration management procedures are to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-001825 |
The organization disseminates to organization-defined personnel or roles the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
The organization conducting the inspection/assessment obtains and examines the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls via the inspected organization's information sharing capability (e.g. portal, intranet, email, etc.) to ensure it has been disseminated. |
The organization being inspected/assessed disseminates the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls via an information sharing capability (e.g. portal, intranet, email, etc.) to all stakeholders in the configuration management process.
DoD has defined the organizational personnel or roles as all stakeholders in the configuration management process. |
Configuration Management Policy And Procedures |
CM-1 |
CM-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency]. |
| CCI-001736 |
The organization defines the previous versions of the baseline configuration of the information system required to support rollback. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the previous versions as the previous approved baseline configuration of IS components for a minimum of 3 month. |
DoD has defined the previous versions as the previous approved baseline configuration of IS components for a minimum of 3 month. |
Baseline Configuration | Retention Of Previous Configurations |
CM-2 (3) |
CM-2(3).2 |
Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records. |
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. |
| CCI-001737 |
The organization defines the information systems, system components, or devices that are to have organization-defined configurations applied when located in areas of significant risk. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the information systems, system components, or devices that are to have configurations defined in CM-2 (7), CCI 1738 applied when located in areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents, in the configuration management policy, the information systems, system components, or devices that are to have configurations defined in CM-2 (7), CCI 1738 applied when located in areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas |
CM-2 (7) |
CM-2(7).1 |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CCI-001738 |
The organization defines the security configurations to be implemented on information systems, system components, or devices when they are located in areas of significant risk. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the security configurations to be implemented on information systems, system components, or devices when they are located in areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents, in the configuration management policy, the security configurations to be implemented on information systems, system components, or devices when they are located in areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas |
CM-2 (7) |
CM-2(7).2 |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CCI-001739 |
The organization issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations the organization deems to be of significant risk. |
The organization conducting the inspection/assessment interviews organizational personnel with configuration management responsibilities to ensure that individuals traveling to locations that the organization deems to be of significant risk are issued information systems, system components, or devices as defined in CM-2 (7) CCI 1737 with configurations as defined in CM-2 (7) CCI 1738. |
The organization being inspected/assessed issues information systems, system components, or devices as defined in CM-2 (7) CCI 1737 with configurations as defined in CM-2 (7) CCI 1738 to individuals traveling to locations the organization deems to be of significant risk. |
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas |
CM-2 (7) |
CM-2(7).3 |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CCI-001815 |
The organization defines the security safeguards to be applied to devices when they return from areas of significant risk. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the security safeguards to be applied to devices when they return from areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents, in the configuration management policy, the security safeguards to be applied to devices when they return from areas of significant risk.
DoD has determined that this value is not appropriate to define at the Enterprise level. |
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas |
CM-2 (7) |
CM-2(7).4 |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CCI-001816 |
The organization applies organization-defined security safeguards to devices when individuals return from areas of significant risk. |
The organization conducting the inspection/assessment interviews organizational personnel with configuration management responsibilities to ensure that when individuals return from areas of significant risk, security safeguards as defined in CM-2 (7) CCI 1815 are applied to devices as defined in CM-2 (7) CCI 1737. |
The organization being inspected/assessed applies security safeguards as defined in CM-2 (7) CCI 1815 to devices when individuals return from areas of significant risk. |
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas |
CM-2 (7) |
CM-2(7).5 |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family. |
The organization:
(a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CCI-001740 |
The organization reviews proposed configuration-controlled changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail of a sampling of proposed configuration controlled changes to ensure the reviews are being conducted. |
The organization being inspected/assessed conducts reviews of records documenting the proposed configuration controlled changes to each information system.
The organization will maintain an audit trail of each proposed configuration controlled change.
This action will be implemented by the CCB as defined in CM-3, CCI 1586. |
Configuration Change Control |
CM-3 |
CM-3.3 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-001741 |
The organization documents configuration change decisions associated with the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail documenting configuration change decisions associated with the information system to ensure the organization being inspected/assessed has documented their decisions. |
The organization being inspected/assessed documents configuration change decisions associated with the information system.
The organization must maintain an audit trail of configuration change decisions.
This action will be implemented by the CCB as defined in CM-3, CCI 1586. |
Configuration Change Control |
CM-3 |
CM-3.4 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-001742 |
The organization defines the approval authorities to be notified when proposed changes to the information system are received. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the approval authorities as the configuration control board (CCB). |
DoD has defined the approval authorities as the configuration control board (CCB). |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).3 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-001743 |
The organization defines the security responses to be automatically implemented by the information system if baseline configurations are changed in an unauthorized manner. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the security responses to be automatically implemented by the information system if baseline configurations are changed in an unauthorized manner.
DoD has determined that the value is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents, in the configuration management policy, the security responses to be automatically implemented by the information system if baseline configurations are changed in an unauthorized manner.
DoD has determined that the value is not appropriate to define at the Enterprise level. |
Configuration Change Control | Automated Security Response |
CM-3 (5) |
CM-3(5).1 |
Security responses include, for example, halting information system processing, halting selected system functions, or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item. |
The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner. |
| CCI-001744 |
The information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner. |
The organization conducting the inspection/assessment obtains and examines the audit trail to ensure the organization being inspected/assessed implements security responses, as defined in CM-3 (5), CCI 1743, automatically if baseline configurations are changed in an unauthorized manner. |
The organization being inspected/assessed implements security responses, as defined in CM-3 (5), CCI 1743, automatically if baseline configurations are changed in an unauthorized manner.
The information system must maintain an audit trail of automatic security responses to unauthorized changes in baseline configurations. |
Configuration Change Control | Automated Security Response |
CM-3 (5) |
CM-3(5).2 |
Security responses include, for example, halting information system processing, halting selected system functions, or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item. |
The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner. |
| CCI-001745 |
The organization defines the security safeguards that are to be provided by the cryptographic mechanisms which are employed by the organization. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the security safeguards as all security safeguards. |
DoD has defined the security safeguards as all security safeguards. |
Configuration Change Control | Cryptography Management |
CM-3 (6) |
CM-3(6).1 |
Regardless of the cryptographic means employed (e.g., public key, private key, shared secrets), organizations ensure that there are processes and procedures in place to effectively manage those means. For example, if devices use certificates as a basis for identification and authentication, there needs to be a process in place to address the expiration of those certificates. Related control: SC-13. |
The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management. |
| CCI-001746 |
The organization ensures that cryptographic mechanisms used to provide organization-defined security safeguards are under configuration management. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure that cryptographic mechanisms used to provide all security safeguards are documented in the policy.
DoD has defined the security safeguards as all security safeguards. |
The organization being inspected/assessed ensures that cryptographic mechanisms used to provide all security safeguards are under configuration management.
DoD has defined the security safeguards as all security safeguards. |
Configuration Change Control | Cryptography Management |
CM-3 (6) |
CM-3(6).2 |
Regardless of the cryptographic means employed (e.g., public key, private key, shared secrets), organizations ensure that there are processes and procedures in place to effectively manage those means. For example, if devices use certificates as a basis for identification and authentication, there needs to be a process in place to address the expiration of those certificates. Related control: SC-13. |
The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management. |
| CCI-001819 |
The organization implements approved configuration-controlled changes to the information system. |
The organization conducting the inspection/assessment obtains and examines the audit trail documenting the implementation of approved configuration-controlled changes to the information system to ensure the organization being inspected/assessed has implemented the approved changes. |
The organization being inspected/assessed implements approved configuration-controlled changes to the information system.
The organization must maintain an audit trail of the implementation of approved configuration-controlled changes. |
Configuration Change Control |
CM-3 |
CM-3.5 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-002056 |
The organization defines the time period the records of configuration-controlled changes are to be retained. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as a time period defined by the organization's CCB. |
DoD has defined the time period as a time period defined by the organization's CCB. |
Configuration Change Control |
CM-3 |
CM-3.7 |
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12. |
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. |
| CCI-002057 |
The organization defines the personnel to be notified when approved changes to the information system are completed. |
The organization conducting the inspection/assessment obtains and examines the documented personnel to ensure the organization being inspected/assessed defines the personnel to be notified when approved changes to the information system are completed, which must include, at a minimum, the CCB.
DoD has defined the personnel as at a minimum, the CCB. |
The organization being inspected/assessed defines and documents the personnel to be notified when approved changes to the information system are completed, which must include, at a minimum, the CCB.
DoD has defined the personnel as at a minimum, the CCB. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).8 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-002058 |
The organization employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed. |
The organization conducting the inspection/assessment obtains and examines the audit trail of notifications of completed changes to the information system to ensure the organization being inspected/assessed notifies at a minimum, the CCB when approved changes to the information system are completed.
DoD has defined the personnel as at a minimum, the CCB.
|
The organization being inspected/assessed notifies at a minimum, the CCB when approved changes to the information system are completed.
The organization must maintain an audit trail of notifications of completed changes to the information system.
DoD has defined the personnel as at a minimum, the CCB. |
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes |
CM-3 (1) |
CM-3(1).9 |
|
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CCI-001817 |
The organization, when analyzing changes to the information system, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
The organization conducting the inspection/assessment obtains and examines the documented process and record of analysis to ensure the organization being inspected/assessed, when analyzing changes to the information system, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
The organization being inspected/assessed documents within their process for analyzing changes to the information system, methods for identifying security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
The organization implements the documented process and must maintain a record of analysis. |
Security Impact Analysis | Separate Test Environments |
CM-4 (1) |
CM-4(1).1 |
Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines). Related controls: SA-11, SC-3, SC-7. |
The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
| CCI-001818 |
The organization analyzes changes to the information system in a separate test environment before installation in an operational environment. |
The organization conducting the inspection/assessment obtains and examines the documented policy for analyzing changes as well as records of analysis to ensure the organization being inspected/assessed analyzes changes to the information system in a separate test environment before installation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
The organization being inspected/assessed documents and employs a policy to analyze changes to the information system in a separate test environment before installation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
The organization must maintain records of analysis of changes to the information system. |
Security Impact Analysis | Separate Test Environments |
CM-4 (1) |
CM-4(1).2 |
Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines). Related controls: SA-11, SC-3, SC-7. |
The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
| CCI-001747 |
The organization defines critical software components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the software components as any software components when the vendor provides digitally signed products. |
DoD has defined the software components as any software components when the vendor provides digitally signed products. |
Access Restrictions For Change | Signed Components |
CM-5 (3) |
CM-5(3).1 |
Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7. |
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
| CCI-001748 |
The organization defines critical firmware components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the critical firmware components as any firmware components when the vendor provides digitally signed products. |
DoD has defined the critical firmware components as any firmware components when the vendor provides digitally signed products. |
Access Restrictions For Change | Signed Components |
CM-5 (3) |
CM-5(3).2 |
Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7. |
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
| CCI-001749 |
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
The organization conducting the inspection/assessment obtains and examines the documented process for preventing the installation of software onto any software components when the vendor provides digitally signed products without verification that software has been digitally signed using a certificate and approved by the organization.
The organization conducting the inspection/assessment reviews software on a sampling of the defined components to ensure that only software digitally signed by a defined CA is installed.
DoD has defined the software components as any software components when the vendor provides digitally signed products. |
The organization being inspected/assessed documents and implements a process to prevent the installation of software onto any software components when the vendor provides digitally signed products without verification that software has been digitally signed using a certificate and approved by the organization.
DoD has defined the software components as any software components when the vendor provides digitally signed products. |
Access Restrictions For Change | Signed Components |
CM-5 (3) |
CM-5(3).3 |
Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7. |
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
| CCI-001750 |
The information system prevents the installation of organization-defined firmware components without verification the firmware component has been digitally signed using a certificate that is recognized and approved by the organization. |
The organization conducting the inspection/assessment obtains and examines the documented process for preventing the installation of firmware onto any firmware components when the vendor provides digitally signed products without verification that firmware has been digitally signed using a certificate and approved by the organization.
The organization conducting the inspection/assessment reviews firmware on a sampling of the defined components to ensure that only firmware digitally signed by a defined CA is installed. |
The organization being inspected/assessed documents and implements a process to prevent the installation of firmware onto any firmware components when the vendor provides digitally signed products without verification that firmware has been digitally signed using a certificate and approved by the organization.
DoD has defined the critical firmware components as any firmware components when the vendor provides digitally signed products. |
Access Restrictions For Change | Signed Components |
CM-5 (3) |
CM-5(3).4 |
Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7. |
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
| CCI-001751 |
The organization defines system-level information requiring enforcement of a dual authorization for information system changes. |
The organization conducting the inspection/assessment obtains and examines the documented system-level information to ensure the organization being inspected/assessed defines the system-level information requiring enforcement of a dual authorization for information system changes.
DoD has determined to the information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents system-level information requiring enforcement of a dual authorization for information system changes.
DoD has determined to the information is not appropriate to define at the Enterprise level. |
Access Restrictions For Change | Dual Authorization |
CM-5 (4) |
CM-5(4).3 |
Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control. Related controls: AC-5, CM-3. |
The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]. |
| CCI-001752 |
The organization enforces dual authorization for changes to organization-defined system-level information. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed enforces dual authorization for changes to system-level information defined in CM-5 (4), CCI 1751. |
The organization being inspected/assessed documents and implements a process to enforce dual authorization for changes to system-level information defined in CM-5 (4), CCI 1751. |
Access Restrictions For Change | Dual Authorization |
CM-5 (4) |
CM-5(4).4 |
Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control. Related controls: AC-5, CM-3. |
The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information]. |
| CCI-001753 |
The organization limits privileges to change information system components within a production or operational environment. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed limits privileges to change information system components within a production or operational environment. |
The organization being inspected/assessed documents and implements a process to limit privileges to change information system components within a production or operational environment. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).1 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001754 |
The organization limits privileges to change system-related information within a production or operational environment. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed limits privileges to change system-related information within a production or operational environment. |
The organization being inspected/assessed documents and implements a process to limit privileges to change system-related information within a production or operational environment. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).2 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001813 |
The information system enforces access restrictions. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the configuration of the information system to ensure access restrictions are implemented. |
The organization being inspected/assessed documents and implements a process to enforce access restrictions provided by the information system. |
Access Restrictions For Change | Automated Access Enforcement / Auditing |
CM-5 (1) |
CM-5(1).1 |
Related controls: AU-2, AU-12, AU-6, CM-3, CM-6. |
The information system enforces access restrictions and supports auditing of the enforcement actions. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
The organization conducting the inspection/assessment reviews vendor documentation to ensure the information system supports auditing of the enforcement actions. If vendor documentation is not available, the organization conducting the inspection/assessment tests the information system for the capability. |
The organization being inspected/assessed leverages only information systems which support auditing of enforcement actions. |
Access Restrictions For Change | Automated Access Enforcement / Auditing |
CM-5 (1) |
CM-5(1).2 |
Related controls: AU-2, AU-12, AU-6, CM-3, CM-6. |
The information system enforces access restrictions and supports auditing of the enforcement actions. |
| CCI-001826 |
The organization defines the circumstances upon which the organization reviews the information system changes to determine whether unauthorized changes have occurred. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the circumstances as when there is an incident or when planned changes have been performed. |
DoD has defined the circumstances as when there is an incident or when planned changes have been performed. |
Access Restrictions For Change | Review System Changes |
CM-5 (2) |
CM-5(2).4 |
Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8. |
The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
| CCI-001827 |
The organization defines the frequency with which to review information system privileges. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 90 days. |
DoD has defined the frequency as every 90 days. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).3 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001828 |
The organization defines the frequency with which to reevaluate information system privileges. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 90 days. |
DoD has defined the frequency as every 90 days. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).4 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001829 |
The organization reviews information system privileges per an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed reviews information system privileges every 90 days.
DoD has defined the frequency as every 90 days. |
The organization being inspected/assessed reviews information system privileges every 90 days.
The organization must maintain the reviews as an audit trail.
DoD has defined the frequency as every 90 days. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).5 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001830 |
The organization reevaluates information system privileges per an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed reevaluates information system privileges every 90 days.
DoD has defined the frequency as every 90 days. |
The organization being inspected/assessed reevaluates information system privileges every 90 days.
The organization must maintain the reevaluations as an audit trail.
DoD has defined the frequency as every 90 days. |
Access Restrictions For Change | Limit Production / Operational Privileges |
CM-5 (5) |
CM-5(5).6 |
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. |
| CCI-001755 |
The organization defines the information system components for which any deviation from the established configuration settings are to be identified, documented, and approved. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the information system components as all configurable information system components. |
DoD has defined the information system components as all configurable information system components. |
Configuration Settings |
CM-6 |
CM-6.9 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-001756 |
The organization defines the operational requirements on which the configuration settings for the organization-defined information system components are to be based. |
The organization conducting the inspection/assessment obtains and examines the system security plan to ensure the organization being inspected/assessed defines the requirements which may deviate from the approved configuration settings on the information system components defined in CM-6, CCI 1755.
DoD has determined that it is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document in the system security plan, the requirements which may deviate from the approved configuration settings on the information system components defined in CM-6, CCI 1755.
DoD has determined that it is not appropriate to define at the Enterprise level. |
Configuration Settings |
CM-6 |
CM-6.10 |
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. |
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization - defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CCI-001757 |
The organization defines the security safeguards the organization is to employ when responding to unauthorized changes to the organization-defined configuration settings. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the security safeguards the organization is to employ when responding to unauthorized changes to the configuration settings defined in CM-6 (2), CCI 1758.
DoD has determined that it is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document in the configuration management policy, the security safeguards the organization is to employ when responding to unauthorized changes to the configuration settings defined in CM-6 (2), CCI 1758.
DoD has determined that it is not appropriate to define at the Enterprise level. |
Configuration Settings | Respond To Unauthorized Changes |
CM-6 (2) |
CM-6(2).1 |
Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing. Related controls: IR-4, SI-7. |
The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. |
| CCI-001758 |
The organization defines configuration settings for which the organization will employ organization-defined security safeguards in response to unauthorized changes. |
The organization conducting the inspection/assessment obtains and examines the configuration management policy to ensure the organization being inspected/assessed defines the configuration settings for which the organization will employ security safeguards CM-6 (2), CCI 1757 in response to unauthorized changes.
DoD has defined the configuration settings as security related configuration settings defined at the program/system level. |
The organization being inspected/assessed must define and document in the configuration management policy, the configuration settings for which the organization will employ security safeguards defined in CM-6 (2), CCI 1757 in response to unauthorized changes.
DoD has defined the configuration settings as security related configuration settings defined at the program/system level. |
Configuration Settings | Respond To Unauthorized Changes |
CM-6 (2) |
CM-6(2).2 |
Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing. Related controls: IR-4, SI-7. |
The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. |
| CCI-001759 |
The organization employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings. |
The organization conducting the inspection/assessment obtains and examines the documented process and the audit trail of security safeguard implementation to ensure the organization being inspected/assessed implements security safeguards defined in CM-6 (2), CCI 1757 to respond to unauthorized changes to security related configuration settings defined at the program/system level.
DoD has defined the configuration settings as security related configuration settings defined at the program/system level. |
The organization being inspected/assessed documents and implements security safeguards defined in CM-6 (2), CCI 1757 to respond to unauthorized changes to security related configuration settings defined at the program/system level.
The organization must maintain an audit trail of security safeguard implementation.
DoD has defined the configuration settings as security related configuration settings defined at the program/system level. |
Configuration Settings | Respond To Unauthorized Changes |
CM-6 (2) |
CM-6(2).3 |
Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing. Related controls: IR-4, SI-7. |
The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. |
| CCI-002059 |
The organization defines the information system components for which the organization will employ automated mechanisms to centrally manage, apply, and verify configuration settings. |
The organization conducting the inspection/assessment obtains and examine the documented information system components to ensure the organization being inspected/assessed defines the information system components for which the organization will employ automated mechanisms to centrally manage, apply, and verify configuration settings.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system components for which the organization will employ automated mechanisms to centrally manage, apply, and verify configuration settings.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Configuration Settings | Automated Central Management / Application / Verification |
CM-6 (1) |
CM-6(1).4 |
Related controls: CA-7, CM-4. |
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. |
| CCI-001760 |
The organization defines the frequency of information system reviews to identify unnecessary and/or nonsecure functions, ports, protocols, and services. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as every 30 days. |
DoD has defined the frequency as every 30 days. |
Least Functionality | Periodic Review |
CM-7 (1) |
CM-7(1).2 |
The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2. |
The organization:
(a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. |
| CCI-001761 |
The organization defines the functions, ports, protocols, and services within the information system that are to be disabled when deemed unnecessary and/or nonsecure. |
The organization conducting the inspection/assessment obtains and examines the system security plan to ensure the organization being inspected/assessed defines the functions, ports, protocols and services within the information system that are to be disabled when deemed unnecessary.
DoD has determined that it is not appropriate to define unnecessary functions, ports, protocols and service at the Enterprise level. Nonsecure functions, ports, protocols and services are defined in DoDI 8551.01. |
The organization being inspected/assessed must define and document in the system security plan, the functions, ports, protocols and services within the information system that are to be disabled when deemed unnecessary.
DoD has determined that it is not appropriate to define unnecessary functions, ports, protocols and service at the Enterprise level. Nonsecure functions, ports, protocols and services are defined in DoDI 8551.01. |
Least Functionality | Periodic Review |
CM-7 (1) |
CM-7(1).3 |
The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2. |
The organization:
(a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. |
| CCI-001762 |
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. |
The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed disables functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure as defined in CM-7 (1), CCI 1761. |
The organization being inspected/assessed must disable functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure as defined in CM-7 (1), CCI 1761. |
Least Functionality | Periodic Review |
CM-7 (1) |
CM-7(1).4 |
The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2. |
The organization:
(a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
(b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. |
| CCI-001763 |
The organization defines the policies regarding software program usage and restrictions. |
The organization conducting the inspection/assessment obtains and examines the rules as well as the software list to ensure that all network capable software programs are DoDI 8551 compliant and that the rules authorizing the use of all other programs are defined.
DoD has determined that the rules authorizing the terms and conditions of software program usage on the information system are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents their rules for approval of software program usage.
For network capable software programs, the organization being inspected/assessed complies with DoDI 8551.
DoD has determined that the rules authorizing the terms and conditions of software program usage on the information system are not appropriate to define at the Enterprise level. |
Least Functionality | Prevent Program Execution |
CM-7 (2) |
CM-7(2).2 |
Related controls: CM-8, PM-5. |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. |
| CCI-001764 |
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
The organization conducting the inspection/assessment examines the information systems to ensure the systems are configured to prevent the execution of programs not authorized in accordance with CM-7 (2) CCIs 1592 and 1763. |
The organization being inspected/assessed configures the information system to prevent the execution of programs not authorized in accordance with CM-7 (2) CCIs 1592 and 1763. |
Least Functionality | Prevent Program Execution |
CM-7 (2) |
CM-7(2).3 |
Related controls: CM-8, PM-5. |
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. |
| CCI-001765 |
The organization defines the software programs not authorized to execute on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of software programs not authorized to execute to ensure that list is defined.
The organization conducting the inspection/assessment reviews the list to ensure that any network capable software is included IAW DoDI 8551.01.
DoD has determined that a comprehensive list of unauthorized software programs is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document software programs not authorized to execute on the information system.
For network capable software, the organization-defined list must include all software programs as defined IAW DoDI 8551.01.
DoD has determined that a comprehensive list of unauthorized software programs is not appropriate to define at the Enterprise level. |
Least Functionality | Unauthorized Software / Blacklisting |
CM-7 (4) |
CM-7(4).1 |
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5. |
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization- defined frequency]. |
| CCI-001766 |
The organization identifies the organization-defined software programs not authorized to execute on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of software programs not authorized to execute to ensure that list is defined.
The organization conducting the inspection/assessment reviews the list to ensure that any network capable software is included IAW DoDI 8551.01. |
The organization being inspected/assessed must define and document software programs not authorized to execute on the information system.
For network capable software, the organization-defined list must include all software programs as defined IAW DoDI 8551.01. |
Least Functionality | Unauthorized Software / Blacklisting |
CM-7 (4) |
CM-7(4).2 |
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5. |
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization- defined frequency]. |
| CCI-001767 |
The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system. |
Within the DoD, this control cannot be implemented. |
Within the DoD, this control cannot be implemented. |
Least Functionality | Unauthorized Software / Blacklisting |
CM-7 (4) |
CM-7(4).3 |
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5. |
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization- defined frequency]. |
| CCI-001768 |
The organization defines the frequency on which it will review and update the list of unauthorized software programs. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as monthly. |
DoD has defined the frequency as monthly. |
Least Functionality | Unauthorized Software / Blacklisting |
CM-7 (4) |
CM-7(4).4 |
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5. |
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization- defined frequency]. |
| CCI-001769 |
The organization defines the frequency on which it will update the list of unauthorized software programs. |
|
|
|
|
|
|
|
| CCI-001770 |
The organization reviews and updates the list of unauthorized software programs per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reviews and updates to ensure that the organization being inspected/assessed reviews and updates the list of unauthorized software programs monthly.
DoD has defined the frequency as monthly. |
The organization being inspected/assessed documents and implements a process to review and update the list of unauthorized software programs monthly.
The organization must maintain an audit trail of the review and update activity.
DoD has defined the frequency as monthly. |
Least Functionality | Unauthorized Software / Blacklisting |
CM-7 (4) |
CM-7(4).5 |
The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution. Related controls: CM-6, CM-8, PM-5. |
The organization:
(a) Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization- defined frequency]. |
| CCI-001771 |
The organization updates the list of unauthorized software programs per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001772 |
The organization defines the software programs authorized to execute on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of software programs that are authorized to execute to ensure that list is defined.
DoD has determined that a comprehensive list of unauthorized software programs is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document software programs that are authorized to execute on the information system.
DoD has determined that a comprehensive list of unauthorized software programs is not appropriate to define at the Enterprise level. |
Least Functionality | Authorized Software / Whitelisting |
CM-7 (5) |
CM-7(5).1 |
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. |
| CCI-001773 |
The organization identifies the organization-defined software programs authorized to execute on the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of software programs that are authorized to execute to ensure that list is defined.
|
The organization being inspected/assessed must define and document software programs that are authorized to execute on the information system.
|
Least Functionality | Authorized Software / Whitelisting |
CM-7 (5) |
CM-7(5).2 |
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. |
| CCI-001774 |
The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system. |
The organization conducting the inspection/assessment examines the information system to ensure that it is configured to deny-all and only permit by exception the execution of authorized software programs on the information system. |
The organization being inspected/assessed configures the information system to deny-all and only permit by exception the execution of authorized software programs on the information system. |
Least Functionality | Authorized Software / Whitelisting |
CM-7 (5) |
CM-7(5).3 |
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. |
| CCI-001775 |
The organization defines the frequency on which it will review and update the list of authorized software programs. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as monthly. |
DoD has defined the frequency as monthly. |
Least Functionality | Authorized Software / Whitelisting |
CM-7 (5) |
CM-7(5).4 |
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. |
| CCI-001776 |
The organization defines the frequency on which it will update the list of authorized software programs. |
|
|
|
|
|
|
|
| CCI-001777 |
The organization reviews and updates the list of authorized software programs per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of reviews and updates to ensure that the organization being inspected/assessed reviews and updates the list of authorized software programs monthly.
DoD has defined the frequency as monthly. |
The organization being inspected/assessed documents and implements a process to review and update the list of authorized software programs monthly.
The organization must maintain an audit trail of the review and update activity.
DoD has defined the frequency as monthly. |
Least Functionality | Authorized Software / Whitelisting |
CM-7 (5) |
CM-7(5).5 |
The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. |
The organization:
(a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
(c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. |
| CCI-001778 |
The organization updates the list of authorized software programs per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001779 |
The organization defines the frequency on which the information system component inventory is to be reviewed and updated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at a minimum, annually. |
DoD has defined the frequency as at a minimum, annually. |
Information System Component Inventory |
CM-8 |
CM-8.6 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-001780 |
The organization reviews and updates the information system component inventory per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process for reviews and updates as well as the audit trail of reviews and updates to ensure the organization being inspected/assessed reviews and updates the information system component inventory at a minimum, annually.
DoD has defined the frequency as at a minimum, annually. |
The organization being inspected/assessed documents and implements a process to review and update the information system component inventory at a minimum, annually.
The organization must maintain an audit trail of review and update activity.
DoD has defined the frequency as at a minimum, annually. |
Information System Component Inventory |
CM-8 |
CM-8.7 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. |
| CCI-001781 |
The organization defines the frequency on which the information system component inventory is to be updated. |
|
|
|
|
|
|
|
| CCI-001782 |
The organization updates the information system component inventory per organization-defined frequency. |
|
|
|
|
|
|
|
| CCI-001783 |
The organization defines the personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the information system. |
The organization conducting the inspection/assessment obtains and examines the documented list of personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the information system to ensure the organization being inspected/assessed has either defined additional personnel or roles, or identified that there are no additional personnel or roles.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed defines and documents any personnel or roles, in addition to the ISSO or ISSM, to be notified when unauthorized hardware, software, and firmware components are detected within the information system. If there are no additional personnel or roles, the organization must also document that.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
Information System Component Inventory | Automated Unauthorized Component Detection |
CM-8 (3) |
CM-8(3).3 |
This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related controls: AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5. |
The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. |
| CCI-001784 |
When unauthorized hardware, software, and firmware components are detected within the information system, the organization takes action to disable network access by such components, isolates the components, and/or notifies organization-defined personnel or roles. |
The organization conducting the inspection/assessment obtains and examines the documented process and audit trail for taking action upon detection of unauthorized components to ensure the organization being inspected/assessed takes action to disable network access by unauthorized software, hardware, and firmware components, isolate the components, and/or notify the ISSO and ISSM and others as the local organization deems appropriate.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed documents and implements a process to take action to disable network access by unauthorized software, hardware, and firmware components, isolate the components, and/or notify the ISSO and ISSM and others as the local organization deems appropriate.
The organization must maintain an audit trail of actions taken upon detection of unauthorized software, hardware, and firmware components.
DoD has defined the personnel or roles as the ISSO and ISSM and others as the local organization deems appropriate. |
Information System Component Inventory | Automated Unauthorized Component Detection |
CM-8 (3) |
CM-8(3).4 |
This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related controls: AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5. |
The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. |
| CCI-001785 |
The organization provides a centralized repository for the inventory of information system components. |
The organization conducting the inspection/assessment obtains and examines the documentation of a centralized repository to ensure the organization being inspected/assessed provides a centralized repository for the inventory of information system components. |
The organization being inspected/assessed documents and implements a centralized repository for the inventory of information system components. |
Information System Component Inventory | Centralized Repository |
CM-8 (7) |
CM-8(7).1 |
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. Centralized repositories of information system component inventories provide opportunities for efficiencies in accounting for organizational hardware, software, and firmware assets. Such repositories may also help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. Organizations ensure that the resulting centralized inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). |
The organization provides a centralized repository for the inventory of information system components. |
| CCI-001786 |
The organization employs automated mechanisms to support tracking of information system components by geographic location. |
The organization conducting the inspection/assessment obtains and examines the documentation of the automated mechanisms to ensure the organization being inspected/assessed employs automated mechanisms to support tracking of information system components by geographic location. |
The organization being inspected/assessed documents and implements automated mechanisms to support tracking of information system components by geographic location. |
Information System Component Inventory | Automated Location Tracking |
CM-8 (8) |
CM-8(8).1 |
The use of automated mechanisms to track the location of information system components can increase the accuracy of component inventories. Such capability may also help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. |
The organization employs automated mechanisms to support tracking of information system components by geographic location. |
| CCI-001787 |
The organization defines the acquired information system components that are to be assigned to an information system. |
The organization conducting the inspection/assessment obtains and examines the documentation of acquired information system components to ensure the organization being inspected/assessed defines the acquired information system components that are to be assigned to an information system.
DoD has determined that the acquired information system components are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the acquired information system components that are to be assigned to an information system.
At no lower than the AO level, the organization must define and document the criteria for or types of information system components where assignment must be tracked. For example, all information system components that collect, store, or process information and are not themselves simply a storage media.
DoD has determined that the acquired information system components are not appropriate to define at the Enterprise level. |
Information System Component Inventory | Assignment Of Components To Systems |
CM-8 (9) |
CM-8(9).1 |
Organizations determine the criteria for or types of information system components (e.g., microprocessors, motherboards, software, programmable logic controllers, and network devices) that are subject to this control enhancement. Related control: SA-4. |
The organization:
(a) Assigns [Assignment: organization-defined acquired information system components] to an information system; and
(b) Receives an acknowledgement from the information system owner of this assignment. |
| CCI-001788 |
The organization assigns organization-defined acquired information system components to an information system. |
The organization conducting the inspection/assessment obtains and examines the documentation pertaining to the acquisition of information system components to ensure the organization being inspected/assessed assigns acquired information system components, as defined in CM-8 (9), CCI 1787, to an information system. |
The organization being inspected/assessed assigns and documents the assignment of acquired information system components, as defined in CM-8 (9), CCI 1787, to an information system. |
Information System Component Inventory | Assignment Of Components To Systems |
CM-8 (9) |
CM-8(9).2 |
Organizations determine the criteria for or types of information system components (e.g., microprocessors, motherboards, software, programmable logic controllers, and network devices) that are subject to this control enhancement. Related control: SA-4. |
The organization:
(a) Assigns [Assignment: organization-defined acquired information system components] to an information system; and
(b) Receives an acknowledgement from the information system owner of this assignment. |
| CCI-001789 |
The organization receives an acknowledgement from the information system owner of the assignment of the acquired information system components to an information system. |
The organization conducting the inspection/assessment obtains and examines the documented process and audit trail of acknowledgements to ensure the organization being inspected/assessed receives an acknowledgement from the information system owner of the assignment of the acquired information system components to an information system. |
The organization being inspected/assessed documents and implements a process to ensure the organization receives an acknowledgement from the information system owner of the assignment of the acquired information system components to an information system.
The organization must maintain an audit trail of the acknowledgements. |
Information System Component Inventory | Assignment Of Components To Systems |
CM-8 (9) |
CM-8(9).3 |
Organizations determine the criteria for or types of information system components (e.g., microprocessors, motherboards, software, programmable logic controllers, and network devices) that are subject to this control enhancement. Related control: SA-4. |
The organization:
(a) Assigns [Assignment: organization-defined acquired information system components] to an information system; and
(b) Receives an acknowledgement from the information system owner of this assignment. |
| CCI-001790 |
The organization develops a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to verify it establishes and documents a process for identifying configuration items throughout the system development life cycle. |
The organization being inspected/assessed will develop and document a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle. |
Configuration Management Plan |
CM-9 |
CM-9.3 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001791 |
The organization documents a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle. |
|
|
|
|
|
|
|
| CCI-001792 |
The organization implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan as well as evidence of implementation (e.g., completed change requests, meeting minutes, and other relevant documents) to ensure the organization being inspected/assessed implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.
Checks should include verification that items being processed for CM are the items identified and that identified configuration items have not been changed without going through the documented process. |
The organization being inspected/assessed will implement a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle. |
Configuration Management Plan |
CM-9 |
CM-9.4 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001793 |
The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to ensure it establishes and documents a process for managing the configuration of the configuration items. |
The organization being inspected/assessed will develop and document a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
Configuration Management Plan |
CM-9 |
CM-9.5 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001794 |
The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
|
|
|
|
|
|
|
| CCI-001795 |
The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan as well as evidence of implementation (e.g., completed change requests, meeting minutes, and other relevant documents) to ensure the organization being inspected/assessed implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items. |
The organization being inspected/assessed will implement a configuration management plan that has a process for controlling changes to configuration items. |
Configuration Management Plan |
CM-9 |
CM-9.6 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001796 |
The organization develops a configuration management plan for the information system that places the configuration items under configuration management. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to ensure the organization being inspected/assessed documents that configuration items are placed under configuration management. |
The organization being inspected/assessed will develop and document a configuration management plan for the information system that places the configuration items under configuration management. |
Configuration Management Plan |
CM-9 |
CM-9.9 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001797 |
The organization documents a configuration management plan for the information system that places the configuration items under configuration management. |
|
|
|
|
|
|
|
| CCI-001798 |
The organization implements a configuration management plan for the information system that places the configuration items under configuration management. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan as well as evidence of implementation (e.g., completed change requests, meeting minutes, and other relevant documents) to ensure the organization being inspected/assessed implements a configuration management plan for the information system and that configuration items identified are under configuration management. |
The organization being inspected/assessed will implement a configuration management plan for the information system that places the configuration items under configuration management. |
Configuration Management Plan |
CM-9 |
CM-9.10 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001799 |
The organization develops and documents a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to verify that it identifies the protection measures. |
The organization being inspected/assessed must develop and document a plan to protect the configuration management plan from unauthorized disclosure and modification.
Measures must include marking, labeling, and handling to prevent improper disclosure. The organization being inspected/assessed must ensure that all changes to the CM plan are approved. |
Configuration Management Plan |
CM-9 |
CM-9.11 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001800 |
The organization documents a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification. |
|
|
|
|
|
|
|
| CCI-001801 |
The organization implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification. |
The organization conducting the inspection/assessment obtains and examines the configuration management plan to verify that the identified protection measures are implemented. |
The organization being inspected/assessed must implement a plan to protect the configuration management plan from unauthorized disclosure and modification.
Measures must include marking, labeling, and handling to prevent improper disclosure. The organization being inspected/assessed must ensure that all changes to the CM plan are approved. |
Configuration Management Plan |
CM-9 |
CM-9.12 |
Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CCI-001726 |
The organization uses software in accordance with contract agreements. |
The organization conducting the inspection/assessment obtains and examines a sampling of contract agreements and supporting evidence concerning the usage of software to ensure compliance with the contract agreements. |
The organization being inspected/assessed uses software in accordance with contract agreements. |
Software Usage Restrictions |
CM-10 |
CM-10.1 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001727 |
The organization uses software documentation in accordance with contract agreements. |
The organization conducting the inspection/assessment obtains and examines a sampling of contract agreements associated with software documentation and supporting evidence concerning the usage of software documentation to ensure compliance with contract agreements. |
The organization being inspected/assessed uses software documentation in accordance with contract agreements. |
Software Usage Restrictions |
CM-10 |
CM-10.2 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001728 |
The organization uses software in accordance with copyright laws. |
The organization conducting the inspection/assessment obtains and examines supporting evidence concerning the usage of software to ensure compliance with copyright laws. |
The organization being inspected/assessed uses software in accordance with copyright laws. |
Software Usage Restrictions |
CM-10 |
CM-10.3 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001729 |
The organization uses software documentation in accordance with copyright laws. |
The organization conducting the inspection/assessment obtains and examines supporting evidence concerning the usage of software documentation to ensure compliance with copyright laws. |
The organization being inspected/assessed uses software documentation in accordance with copyright laws. |
Software Usage Restrictions |
CM-10 |
CM-10.4 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001730 |
The organization tracks the use of software protected by quantity licenses to control copying of the software. |
The organization conducting the inspection/assessment obtains and examines the tracking records to ensure the organization being inspected/assessed tracks the use of software protected by quantity licenses to control copying of the software. |
The organization being inspected/assessed tracks the use of software protected by quantity licenses to control copying of the software.
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. |
Software Usage Restrictions |
CM-10 |
CM-10.5 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001731 |
The organization tracks the use of software documentation protected by quantity licenses to control distribution of the software documentation. |
The organization conducting the inspection/assessment obtains and examines the tracking records to ensure the organization being inspected/assessed tracks the use of software documentation protected by quantity licenses to control distribution of the software documentation. |
The organization being inspected/assessed tracks the use of software documentation protected by quantity licenses to control distribution of the software documentation.
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. |
Software Usage Restrictions |
CM-10 |
CM-10.6 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001732 |
The organization controls the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
The organization conducting the inspection/assessment obtains and examines the audit trail of peer-to-peer file sharing technology reviews and authorizations to ensure the organization being inspected/assessed controls the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
The organization being inspected/assessed reviews and authorizes in order to control the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
The organization must maintain an audit trail of peer-to-peer file sharing technology reviews and authorizations. |
Software Usage Restrictions |
CM-10 |
CM-10.9 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001733 |
The organization documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
The organization conducting the inspection/assessment obtains and examines the documentation for the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
The organization being inspected/assessed documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
Software Usage Restrictions |
CM-10 |
CM-10.10 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001734 |
The organization defines the restrictions to be followed on the use of open source software. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the restrictions as IAW DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)" 16 Oct 2009 (http://dodcio.defense.gov/Home/Issuances/DoDCIOMemorandums.aspx). |
DoD has defined the restrictions as IAW DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)" 16 Oct 2009 (http://dodcio.defense.gov/Home/Issuances/DoDCIOMemorandums.aspx). |
Software Usage Restrictions | Open Source Software |
CM-10 (1) |
CM-10(1).1 |
Open source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open source software is that it provides organizations with the ability to examine the source code. However, there are also various licensing issues associated with open source software including, for example, the constraints on derivative use of such software. |
The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions]. |
| CCI-001735 |
The organization establishes organization-defined restrictions on the use of open source software. |
DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)" 16 Oct 2009 (http://dodcio.defense.gov/Home/Issuances/DoDCIOMemorandums.aspx) meets the DoD requirement for establishing restrictions on the use of open source software.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)." |
DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)" 16 Oct 2009 (http://dodcio.defense.gov/Home/Issuances/DoDCIOMemorandums.aspx) meets the DoD requirement for establishing restrictions on the use of open source software.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoD Memorandum "Clarifying Guidance Regarding Open Source Software (OSS)." |
Software Usage Restrictions | Open Source Software |
CM-10 (1) |
CM-10(1).2 |
Open source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open source software is that it provides organizations with the ability to examine the source code. However, there are also various licensing issues associated with open source software including, for example, the constraints on derivative use of such software. |
The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions]. |
| CCI-001802 |
The organization tracks the use of software documentation protected by quantity licenses to control copying of the software documentation. |
The organization conducting the inspection/assessment obtains and examines the tracking records to ensure the organization being inspected/assessed tracks the use of software documentation protected by quantity licenses to control copying of the software documentation. |
The organization being inspected/assessed tracks the use of software documentation protected by quantity licenses to control copying of the software documentation.
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. |
Software Usage Restrictions |
CM-10 |
CM-10.7 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001803 |
The organization tracks the use of software protected by quantity licenses to control distribution of the software. |
The organization conducting the inspection/assessment obtains and examines the tracking records to ensure the organization being inspected/assessed tracks the use of software protected by quantity licenses to control distribution of the software. |
The organization being inspected/assessed tracks the use of software protected by quantity licenses to control distribution of the software.
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. |
Software Usage Restrictions |
CM-10 |
CM-10.8 |
Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. |
The organization:
a. Uses software and associated documentation in accordance with contract agreements and
copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CCI-001804 |
The organization defines the policies for governing the installation of software by users. |
The organization conducting the inspection/assessment obtains and examines policies governing the installation of software by users (e.g., user agreements, CM plan, etc.) to ensure the organization being inspected/assessed defines the policies for governing the installation of software by users.
DoD has determined the policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define policies governing the installation of software by users.
DoD has determined the policies are not appropriate to define at the Enterprise level. |
User-Installed Software |
CM-11 |
CM-11.1 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001805 |
The organization establishes organization-defined policies governing the installation of software by users. |
The organization conducting the inspection/assessment obtains and examines documented policies governing the installation of software by users (e.g., user agreements, CM plan, etc.) to ensure the organization being inspected/assessed establishes policies governing the installation of software by users. |
The organization being inspected/assessed documents their policies governing the installation of software by users (e.g., user agreements, CM plan, etc.). |
User-Installed Software |
CM-11 |
CM-11.2 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001806 |
The organization defines methods to be employed to enforce the software installation policies. |
The organization conducting the inspection/assessment obtains and examines documentation of the methods employed to ensure the organization being inspected/assessed defines methods to be employed to enforce the software installation policies.
DoD has determined the policies are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed must define and document the methods employed to enforce the software installation policies.
DoD has determined the policies are not appropriate to define at the Enterprise level. |
User-Installed Software |
CM-11 |
CM-11.3 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001807 |
The organization enforces software installation policies through organization-defined methods. |
The organization conducting the inspection/assessment obtains and examines software installation policies defined in CM-11, CCI 1804 and inspects the methods defined in CM-11, CCI 1806 to verify they are properly implemented. |
The organization being inspected/assessed must enforce software installation policies as defined in CM-11, CCI 1804 through methods defined in CM-11, CCI 1806. |
User-Installed Software |
CM-11 |
CM-11.4 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001808 |
The organization defines the frequency on which it will monitor software installation policy compliance. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least monthly. |
DoD has defined the frequency as at least monthly. |
User-Installed Software |
CM-11 |
CM-11.5 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001809 |
The organization monitors software installation policy compliance per an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the audit trails of monitoring activities to ensure the organization being inspected/assessed monitors software installation policy compliance at least monthly.
DoD has defined the frequency as at least monthly. |
The organization being inspected/assessed must monitor software installation policy compliance at least monthly.
The organization must maintain audit trails of monitoring activity.
DoD has defined the frequency as at least monthly. |
User-Installed Software |
CM-11 |
CM-11.6 |
If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. |
The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency]. |
| CCI-001810 |
The organization defines the personnel or roles to be notified when unauthorized software is detected. |
The organization conducting the inspection/assessment obtains and examines the documentation of the personnel or roles to be notified when unauthorized software is detected to ensure that ISSO and ISSM and others as the local organization deems appropriate are defined.
DoD has defined the personnel or roles that must be notified when unauthorized software is detected as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed must define and document the personnel or roles to be notified when unauthorized software is detected.
DoD has defined the personnel or roles that must be notified when unauthorized software is detected as the ISSO and ISSM and others as the local organization deems appropriate. |
User-Installed Software | Alerts For Unauthorized Installations |
CM-11 (1) |
CM-11(1).1 |
Related controls: CA-7, SI-4. |
The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected. |
| CCI-001811 |
The information system alerts organization-defined personnel or roles when the unauthorized installation of software is detected. |
The organization conducting the inspection/assessment obtains and examines the configuration of the automated mechanism or evidence that alerts are occuring when unauthorized software is installed to ensure the information system alerts the ISSO and ISSM and others as the local organization deems appropriate when the unauthorized installation of software is detected.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1811.
DoD has defined the personnel or roles that must be notified when unauthorized software is detected as the ISSO and ISSM and others as the local organization deems appropriate. |
The organization being inspected/assessed must configure the information system to alert ISSO and ISSM and others as the local organization deems appropriate when the unauthorized installation of software is detected.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1811.
DoD has defined the personnel or roles that must be notified when unauthorized software is detected as the ISSO and ISSM and others as the local organization deems appropriate. |
User-Installed Software | Alerts For Unauthorized Installations |
CM-11 (1) |
CM-11(1).2 |
Related controls: CA-7, SI-4. |
The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected. |
| CCI-001812 |
The information system prohibits user installation of software without explicit privileged status. |
The organization conducting the inspection/assessment obtains and examines the configuration of the information system components to ensure that installation of software without explicit privileged status is prohibited.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1812. |
The organization being inspected/assessed must configure the information system to prevent the installation of software by non-privileged users.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1812. |
User-Installed Software | Prohibit Installation Without Privileged Status |
CM-11 (2) |
CM-11(2).1 |
Privileged status can be obtained, for example, by serving in the role of system administrator. Related control: AC-6. |
The information system prohibits user installation of software without explicit privileged status. |
| CCI-002825 |
The organization defines personnel or roles to whom the contingency planning policy is to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all stakeholders identified in the contingency plan. |
DoD has defined the personnel or roles as all stakeholders identified in the contingency plan. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.3 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-002826 |
The organization defines personnel or roles to whom the contingency planning procedures are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as all stakeholders identified in the contingency plan. |
DoD has defined the personnel or roles as all stakeholders identified in the contingency plan. |
Contingency Planning Policy And Procedures |
CP-1 |
CP-1.6 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency]. |
| CCI-002827 |
The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. |
The organization conducting the inspection/assessment obtains and examines service level agreements and/or memorandums of agreement with external service providers to ensure the organization being inspected/assessed coordinates with those providers. |
The organization being inspected/assessed implements service level agreements and/or memorandums of agreement with external service providers necessary for the conduct of contingency plans to ensure that contingency requirements can be satisfied. |
Contingency Plan | Coordinate With External Service Providers |
CP-2 (7) |
CP-2(7).1 |
When the capability of an organization to successfully carry out its core missions/business functions is dependent on external service providers, developing a timely and comprehensive contingency plan may become more challenging. In this situation, organizations coordinate contingency planning activities with the external entities to ensure that the individual plans reflect the overall contingency needs of the organization. Related control: SA-9. |
The organization coordinates its contingency plan with the contingency plans of external service providers to ensure contingency requirements can be satisfied. |
| CCI-002828 |
The organization identifies critical information system assets supporting essential missions. |
The organization conducting the inspection/assessment obtains and examines the documented list of critical information system assets supporting essential missions to ensure the organization being inspected/assessed identifies those assets. |
The organization being inspected/assessed identifies and documents critical information system assets supporting essential missions. |
Contingency Plan | Identify Critical Assets |
CP-2 (8) |
CP-2(8).1 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15. |
The organization identifies critical information system assets supporting essential missions and business functions. |
| CCI-002829 |
The organization identifies critical information system assets supporting essential business functions. |
The organization conducting the inspection/assessment obtains and examines the documented list of critical information system assets supporting essential business functions to ensure the organization being inspected/assessed identifies those assets. |
The organization being inspected/assessed identifies and documents critical information system assets supporting essential business functions. |
Contingency Plan | Identify Critical Assets |
CP-2 (8) |
CP-2(8).2 |
Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15. |
The organization identifies critical information system assets supporting essential missions and business functions. |
| CCI-002830 |
The organization defines the personnel or roles who review and approve the contingency plan for the information system. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
Contingency Plan |
CP-2 |
CP-2.16 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-002831 |
The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the list as all stakeholders identified in the contingency plan |
DoD has defined the list as all stakeholders identified in the contingency plan |
Contingency Plan |
CP-2 |
CP-2.27 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-002832 |
The organization protects the contingency plan from unauthorized disclosure and modification. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed protects the contingency plan from unauthorized disclosure and modification. |
The organization being inspected/assessed documents and implements a process to protect the contingency plan from unauthorized disclosure and modification. |
Contingency Plan |
CP-2 |
CP-2.28 |
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. |
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification. |
| CCI-002833 |
The organization defines the time period that contingency training is to be provided to information system users consistent with assigned roles and responsibilities within assuming a contingency role or responsibility. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as at a maximum, 10 working days. |
DoD has defined the time period as at a maximum, 10 working days. |
Contingency Training |
CP-3 |
CP-3.2 |
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-002834 |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes. |
The organization conducting the inspection/assessment obtains and examines training materials and documentation of training activities to determine whether the materials are accurate in consideration of the state of the information system and content of the contingency plan. The organization ensures that training is provided to users consistent with assigned roles and responsibilities. |
The organization being inspected/assessed will update contingency training materials when required by information system changes and provide that training to personnel with contingency roles and responsibilities IAW CP-2, CCI 449.
The organization will maintain documentation of the training activity dates, location, and personnel for audit trail purposes and future reference (e.g., scheduling refresher training, etc.). |
Contingency Training |
CP-3 |
CP-3.3 |
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. |
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-002835 |
The organization tests the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations. |
The organization conducting the inspection/assessment obtains and examines the test results to ensure the organization being inspected/assessed tests the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations. |
The organization being inspected/assessed will perform contingency plan testing at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.
The organization must maintain a record of test results. |
Contingency Plan Testing | Alternate Processing Site |
CP-4 (2) |
CP-4(2).2 |
Related control: CP-7. |
The organization tests the contingency plan at the alternate processing site:
(a) To familiarize contingency personnel with the facility and available resources; and
(b) To evaluate the capabilities of the alternate processing site to support contingency operations. |
| CCI-002836 |
The organization ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. |
The organization conducting the inspection/assessment obtains and examines the documentation of the primary/alternate site information security safeguards that are in place as well as evidence that the alternate site was approved based on an assessment that security is equivalent at the alternate site. |
The organization being inspected/assessed documents the information security safeguards that are in place at both the primary and alternate sites and evidence that the alternate site was approved based on an assessment that security is equivalent at the alternate site. |
Alternate Storage Site |
CP-6 |
CP-6.2 |
Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4. |
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. |
| CCI-002837 |
The organization plans for circumstances that preclude returning to the primary processing site. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed plans for circumstances that preclude returning to the primary processing site. |
The organization being inspected/assessed documents a process to be followed in the event of circumstances that preclude returning to the primary processing site. |
Alternate Processing Site | Inability To Return To Primary Site |
CP-7 (6) |
CP-7(6).1 |
|
The organization plans and prepares for circumstances that preclude returning to the primary processing site. |
| CCI-002838 |
The organization prepares for circumstances that preclude returning to the primary processing site. |
The organization conducting the inspection/assessment obtains and examines system resource lists or agreements with external support providers to ensure the organization being inspected/assessed prepares for circumstances that preclude returning to the primary processing site. |
The organization being inspected/assessed makes the resources available necessary to implement the plan documented IAW CP-7 (6), CCI 2837. |
Alternate Processing Site | Inability To Return To Primary Site |
CP-7 (6) |
CP-7(6).2 |
|
The organization plans and prepares for circumstances that preclude returning to the primary processing site. |
| CCI-002839 |
The organization defines information system operations that are permitted to transfer and resume at an alternate processing site for essential missions/business functions when the primary processing capabilities are unavailable. |
The organization conducting the inspection/assessment obtains and examines the documented information system operations to ensure the organization being inspected/assessed defines information system operations that are permitted to transfer and resume at an alternate processing sites for essential missions/business functions when the primary processing capabilities are unavailable.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents information system operations that are permitted to transfer and resume at an alternate processing sites for essential missions/business functions when the primary processing capabilities are unavailable.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
Alternate Processing Site |
CP-7 |
CP-7.4 |
Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. |
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. |
| CCI-002840 |
The organization defines the information system operations to be resumed for essential missions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization conducting the inspection/assessment obtains and examines the documented information system operations to ensure the organization being inspected/assessed defines the information system operations to be resumed for essential missions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system operations to be resumed for essential missions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
Telecommunications Services |
CP-8 |
CP-8.5 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-002841 |
The organization defines the information system operations to be resumed for essential business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
The organization conducting the inspection/assessment obtains and examines the documented information system operations to ensure the organization being inspected/assessed defines the information system operations to be resumed for essential business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system operations to be resumed for essential business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
DoD has determined the information system operations are not appropriate to define at the Enterprise level. |
Telecommunications Services |
CP-8 |
CP-8.6 |
This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements. Related controls: CP-2, CP-6, CP-7. |
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CCI-002842 |
The organization reviews provider contingency plans to ensure that the plans meet organizational contingency requirements. |
The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed reviews provider contingency plans to ensure that the plans meet organizational contingency requirements. |
The organization being inspected/assessed obtains and examines provider contingency plans to ensure the plans meet organizational contingency requirements.
The organization must maintain an audit trail of reviews. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).3 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-002843 |
The organization defines the frequency with which to obtain evidence of contingency testing by providers. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).4 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-002844 |
The organization defines the frequency with which to obtain evidence of contingency training by providers. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).5 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-002845 |
The organization obtains evidence of contingency testing by providers in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the evidence of contingency testing to ensure that the organization being inspected/assessed obtains evidence that contingency testing is conducted by providers at least annually.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed obtains and maintains evidence of contingency testing by providers to ensure that the training is tested at least annually.
DoD has defined the frequency as at least annually. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).6 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-002846 |
The organization obtains evidence of contingency training by providers in accordance with organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the evidence of contingency training to ensure that the organization being inspected/assessed obtains evidence that contingency training is conducted by providers at least annually.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed obtains and maintains evidence of contingency training by providers to ensure that the training is provided at least annually.
DoD has defined the frequency as at least annually. |
Telecommunications Services | Provider Contingency Plan |
CP-8 (4) |
CP-8(4).7 |
Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training. |
The organization:
(a) Requires primary and alternate telecommunications service providers to have contingency plans;
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency]. |
| CCI-002847 |
The organization defines the frequency with which to test alternate telecommunication services. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level
DoD has defined the frequency as at least annually. |
DoD has defined the frequency as at least annually. |
Telecommunications Services | Alternate Telecommunication Service Testing |
CP-8 (5) |
CP-8(5).1 |
|
The organization tests alternate telecommunication services [Assignment: organization-defined frequency]. |
| CCI-002848 |
The organization tests alternate telecommunication services per organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the record of tests to ensure the organization being inspected/assessed tests alternate telecommunication services at least annually.
DoD has defined the frequency as at least annually. |
The organization being inspected/assessed documents and implements a process to test alternate telecommunication services at least annually.
The organization must maintain a record of tests.
DoD has defined the frequency as at least annually. |
Telecommunications Services | Alternate Telecommunication Service Testing |
CP-8 (5) |
CP-8(5).2 |
|
The organization tests alternate telecommunication services [Assignment: organization-defined frequency]. |
| CCI-002849 |
The organization defines critical information system software and other security-related information, of which backup copies must be stored in a separate facility or in a fire-rated container. |
The organization conducting the inspection/assessment obtains and examines the documented critical information system software and other security-related information to ensure the organization being inspected/assessed defines critical information system software and other security-related information which backup copies must be stored in a separate facility or in a fire-rated container.
DoD has determined the critical information system software and other security-related information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents critical information system software and other security-related information which backup copies must be stored in a separate facility or in a fire-rated container.
DoD has determined the critical information system software and other security-related information is not appropriate to define at the Enterprise level. |
Information System Backup | Separate Storage For Critical Information |
CP-9 (3) |
CP-9(3).1 |
Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. |
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. |
| CCI-002850 |
The organization stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system. |
The organization conducting the inspection/assessment obtains and examines the record of where software is stored to ensure the organization being inspected/assessed stores backup copies of critical information system software and other security-related information defined in CP-9 (3), CCI 2849 in a separate facility or in a fire-rated container that is not collocated with the operational system. |
The organization being inspected/assessed stores backup copies of critical information system software and other security-related information defined in CP-9 (3), CCI 2849 in a separate facility or in a fire-rated container that is not collocated with the operational system.
The organization must maintain a record of where software is stored. |
Information System Backup | Separate Storage For Critical Information |
CP-9 (3) |
CP-9(3).2 |
Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. |
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. |
| CCI-002851 |
The organization defines the backup information that requires dual authorization for deletion or destruction. |
The organization conducting the inspection/assessment obtains and examines the documented backup information to ensure the organization being inspected/assessed defines the backup information that requires dual authorization for deletion or destruction.
DoD has determined the backup information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the backup information that requires dual authorization for deletion or destruction.
DoD has determined the backup information is not appropriate to define at the Enterprise level. |
Information System Backup | Dual Authorization |
CP-9 (7) |
CP-9(7).1 |
Dual authorization ensures that the deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting/destroying backup information possess sufficient skills/expertise to determine if the proposed deletion/destruction of backup information reflects organizational policies and procedures. Dual authorization may also be known as two-person control. Related controls: AC-3, MP-2. |
The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]. |
| CCI-002852 |
The organization enforces dual authorization for the deletion or destruction of organization-defined backup information. |
The organization conducting the inspection/assessment obtains and examines the documented process and record of deletion and destruction to ensure the organization being inspected/assessed enforces dual authorization for the deletion or destruction of backup information defined in CP-9 (7), CCI 2851. |
The organization being inspected/assessed documents and implements a process for dual authorization for the deletion or destruction of backup information defined in CP-9 (7), CCI 2851.
The organization must maintain a record of deletion or destruction of information defined in CP-9 (7), CCI 2851. |
Information System Backup | Dual Authorization |
CP-9 (7) |
CP-9(7).2 |
Dual authorization ensures that the deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting/destroying backup information possess sufficient skills/expertise to determine if the proposed deletion/destruction of backup information reflects organizational policies and procedures. Dual authorization may also be known as two-person control. Related controls: AC-3, MP-2. |
The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]. |
| CCI-002853 |
The information system provides the capability to employ organization-defined alternative communications protocols in support of maintaining continuity of operations. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide the capability to employ alternative communications protocols defined in CP-11, CCI 2854 in support of maintaining continuity of operations.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2853. |
The organization being inspected/assessed configures the information system to provide the capability to employ alternative communications protocols defined in CP-11, CCI 2854 in support of maintaining continuity of operations.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2853. |
Alternate Communications Protocols |
CP-11 |
CP-11.1 |
Contingency plans and the associated training and testing for those plans, incorporate an alternate communications protocol capability as part of increasing the resilience of organizational information systems. Alternate communications protocols include, for example, switching from Transmission Control Protocol/Internet Protocol (TCP/IP) Version 4 to TCP/IP Version 6. Switching communications protocols may affect software applications and therefore, the potential side effects of introducing alternate communications protocols are analyzed prior to implementation. |
The information system provides the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. |
| CCI-002854 |
The organization defines the alternative communications protocols the information system must be capable of providing in support of maintaining continuity of operations. |
The organization conducting the inspection/assessment obtains and examines the documented alternative communications protocols to ensure the organization being inspected/assessed defines the alternative communications protocols the information systems must be capable of providing in support of maintaining continuity of operations.
DoD has determined the alternative communications protocols are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the alternative communications protocols the information systems must be capable of providing in support of maintaining continuity of operations.
DoD has determined the alternative communications protocols are not appropriate to define at the Enterprise level. |
Alternate Communications Protocols |
CP-11 |
CP-11.2 |
Contingency plans and the associated training and testing for those plans, incorporate an alternate communications protocol capability as part of increasing the resilience of organizational information systems. Alternate communications protocols include, for example, switching from Transmission Control Protocol/Internet Protocol (TCP/IP) Version 4 to TCP/IP Version 6. Switching communications protocols may affect software applications and therefore, the potential side effects of introducing alternate communications protocols are analyzed prior to implementation. |
The information system provides the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. |
| CCI-002855 |
The information system, when organization-defined conditions are detected, enters a safe mode of operation with organization-defined restrictions of safe mode of operation. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enter a safe mode of operation with restrictions of safe mode of operation defined in CP-12, CCI 2857 when conditions defined in CP-12, CCI 2856 are detected.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2855. |
The organization being inspected/assessed configures the information system to enter a safe mode of operation with restrictions of safe mode of operation defined in CP-12, CCI 2857 when conditions defined in CP-12, CCI 2856 are detected.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2855. |
Safe Mode |
CP-12 |
CP-12.1 |
For information systems supporting critical missions/business functions including, for example, military operations and weapons systems, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments), organizations may choose to identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated automatically or manually, restricts the types of activities or operations information systems could execute when those conditions are encountered. Restriction includes, for example, allowing only certain functions that could be carried out under limited power or with reduced communications bandwidth. |
The information system, when [Assignment:organization-defined conditions] are detected, enters a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. |
| CCI-002856 |
The organization defines the conditions that, when detected, the information system enters a safe mode of operation with organization-defined restrictions of safe mode of operation. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines the conditions, that when detected, the information system enters a safe mode of operation with organization-defined restrictions of safe mode of operation.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions, that when detected, the information system enters a safe mode of operation with organization-defined restrictions of safe mode of operation.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Safe Mode |
CP-12 |
CP-12.2 |
For information systems supporting critical missions/business functions including, for example, military operations and weapons systems, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments), organizations may choose to identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated automatically or manually, restricts the types of activities or operations information systems could execute when those conditions are encountered. Restriction includes, for example, allowing only certain functions that could be carried out under limited power or with reduced communications bandwidth. |
The information system, when [Assignment:organization-defined conditions] are detected, enters a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. |
| CCI-002857 |
The organization defines the restrictions of the safe mode of operation that the information system will enter when organization-defined conditions are detected. |
The organization conducting the inspection/assessment obtains and examines the documented restrictions to ensure the organization being inspected/assessed defines the restrictions of safe mode of operation that the information system will enter when organization-defined conditions are detected.
DoD has determined the restrictions on safe mode of operation are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the restrictions of safe mode of operation that the information system will enter when organization-defined conditions are detected.
DoD has determined the restrictions on safe mode of operation are not appropriate to define at the Enterprise level. |
Safe Mode |
CP-12 |
CP-12.3 |
For information systems supporting critical missions/business functions including, for example, military operations and weapons systems, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments), organizations may choose to identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated automatically or manually, restricts the types of activities or operations information systems could execute when those conditions are encountered. Restriction includes, for example, allowing only certain functions that could be carried out under limited power or with reduced communications bandwidth. |
The information system, when [Assignment:organization-defined conditions] are detected, enters a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. |
| CCI-002858 |
The organization employs organization-defined alternative or supplemental security mechanisms for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs alternative or supplemental security mechanisms defined in CP-13, CCI 2859 for satisfying security functions defined in CP-13, CCI 2860 when the primary means of implementing the security function is unavailable or compromised. |
The organization being inspected/assessed documents and implement a process to employ alternative or supplemental security mechanisms defined in CP-13, CCI 2859 for satisfying security functions defined in CP-13, CCI 2860 when the primary means of implementing the security function is unavailable or compromised. |
Alternative Security Mechanisms |
CP-13 |
CP-13.1 |
This control supports information system resiliency and contingency planning/continuity of operations. To ensure mission/business continuity, organizations can implement alternative or supplemental security mechanisms. These mechanisms may be less effective than the primary mechanisms (e.g., not as easy to use, not as scalable, or not as secure). However, having the capability to readily employ these alternative/supplemental mechanisms enhances overall mission/business continuity that might otherwise be adversely impacted if organizational operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, this control would typically be applied only to critical security capabilities provided by information systems, system components, or information system services. For example, an organization may issue to senior executives and system administrators one-time pads in case multifactor tokens, the organization's standard means for secure remote authentication, is compromised. Related control: CP-2. |
The organization employs [Assignment:organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. |
| CCI-002859 |
The organization defines the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised. |
The organization conducting the inspection/assessment obtains and examines the documented alternative or supplemental security mechanisms to ensure the organization being inspected/assessed defines the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.
DoD has determined the alternative or supplemental security mechanisms are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.
DoD has determined the alternative or supplemental security mechanisms are not appropriate to define at the Enterprise level. |
Alternative Security Mechanisms |
CP-13 |
CP-13.2 |
This control supports information system resiliency and contingency planning/continuity of operations. To ensure mission/business continuity, organizations can implement alternative or supplemental security mechanisms. These mechanisms may be less effective than the primary mechanisms (e.g., not as easy to use, not as scalable, or not as secure). However, having the capability to readily employ these alternative/supplemental mechanisms enhances overall mission/business continuity that might otherwise be adversely impacted if organizational operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, this control would typically be applied only to critical security capabilities provided by information systems, system components, or information system services. For example, an organization may issue to senior executives and system administrators one-time pads in case multifactor tokens, the organization's standard means for secure remote authentication, is compromised. Related control: CP-2. |
The organization employs [Assignment:organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. |
| CCI-002860 |
The organization defines the security functions that must be satisfied when the primary means of implementing the security function is unavailable or compromised. |
The organization conducting the inspection/assessment obtains and examines the documented security functions to ensure the organization being inspected/assessed defines the security functions that must be satisfied when the primary means of implementing the security function is unavailable or compromised.
DoD has determined the security functions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security functions that must be satisfied when the primary means of implementing the security function is unavailable or compromised.
DoD has determined the security functions are not appropriate to define at the Enterprise level. |
Alternative Security Mechanisms |
CP-13 |
CP-13.3 |
This control supports information system resiliency and contingency planning/continuity of operations. To ensure mission/business continuity, organizations can implement alternative or supplemental security mechanisms. These mechanisms may be less effective than the primary mechanisms (e.g., not as easy to use, not as scalable, or not as secure). However, having the capability to readily employ these alternative/supplemental mechanisms enhances overall mission/business continuity that might otherwise be adversely impacted if organizational operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, this control would typically be applied only to critical security capabilities provided by information systems, system components, or information system services. For example, an organization may issue to senior executives and system administrators one-time pads in case multifactor tokens, the organization's standard means for secure remote authentication, is compromised. Related control: CP-2. |
The organization employs [Assignment:organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. |
| CCI-001932 |
The organization documents an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
|
|
|
|
|
|
|
| CCI-001933 |
The organization defines the personnel or roles to be recipients of the identification and authentication policy and the procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. |
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDI 8520.02 and DoDI 8520.03.
DoD has defined the roles to be recipients of the identification and authentication policy and the procedures as the ISSO and ISSM and others as the local organization deems appropriate. |
DoD has defined the roles to be recipients of the identification and authentication policy and the procedures as the ISSO and ISSM and others as the local organization deems appropriate.
DoDI 8520.02 and DoDI 8520.03 meet the DoD requirement for Identification and Authentication policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 8520.02 and DoDI 8520.03. |
Identification And Authentication Policy And Procedures |
IA-1 |
IA-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency]. |
| CCI-001934 |
The organization documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. |
|
|
|
|
|
|
|
| CCI-001935 |
The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access to privileged accounts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
Identification And Authentication | Network Access To Privileged Accounts - Separate Device |
IA-2 (6) |
IA-2(6).1 |
Related control: AC-6. |
The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001936 |
The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1936. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1936. |
Identification And Authentication | Network Access To Privileged Accounts - Separate Device |
IA-2 (6) |
IA-2(6).2 |
Related control: AC-6. |
The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001937 |
The device used in the information system implementation of multifactor authentication for network access to privileged accounts meets organization-defined strength of mechanism requirements. |
The organization conducting the inspection/assessment obtains and examines the device used to ensure that the device implemented for multifactor authentication for network access to privileged accounts meets Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1937. |
The organization being inspected/assessed will use DoD PKI or a technology approved by their Authorizing Official that meet Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1937. |
Identification And Authentication | Network Access To Privileged Accounts - Separate Device |
IA-2 (6) |
IA-2(6).3 |
Related control: AC-6. |
The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001938 |
The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access to non-privileged accounts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
Identification And Authentication | Network Access To Non-Privileged Accounts - Separate Device |
IA-2 (7) |
IA-2(7).1 |
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators. |
The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001939 |
The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1939, |
The organization being inspected/assessed configures the information system to implement multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1939. |
Identification And Authentication | Network Access To Non-Privileged Accounts - Separate Device |
IA-2 (7) |
IA-2(7).2 |
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators. |
The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001940 |
The device used in the information system implementation of multifactor authentication for network access to non-privileged accounts meets organization-defined strength of mechanism requirements. |
The organization conducting the inspection/assessment obtains and examines the device used to ensure that the device implemented for multifactor authentication for network access to non-privileged accounts meets Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1940. |
The organization being inspected/assessed will use DoD PKI or a technology approved by their Authorizing Official that meet Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1940. |
Identification And Authentication | Network Access To Non-Privileged Accounts - Separate Device |
IA-2 (7) |
IA-2(7).3 |
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators. |
The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001941 |
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement replay-resistant authentication mechanisms for network access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1941. |
The organization being inspected/assessed configures the information system to implement replay-resistant authentication mechanisms for network access to privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1941. |
Identification And Authentication | Network Access To Privileged Accounts - Replay Resistant |
IA-2 (8) |
IA-2(8).1 |
|
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
| CCI-001942 |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1942. |
The organization being inspected/assessed configures the information system to implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1942. |
Identification And Authentication | Network Access To Non-Privileged Accounts - Replay Resistant |
IA-2 (9) |
IA-2(9).1 |
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators. |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| CCI-001943 |
The organization defines the information system accounts for which single sign-on capability will be provided. |
The organization conducting the inspection/assessment obtains and examines the documented list of system accounts to ensure the organization being inspected/assessed defines any accounts for which a single sign-on capability is provided.
DoD has determined the system services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents any accounts for which a single sign-on capability is provided.
For single sign-on providers (creator/maintainer of the single sign-on user accounts) this will be a list of accounts or groups that are authorized to use single sign-on capability.
For single sign-on services this will be a per provider list of accounts or groups authorized to use the service.
DoD has determined the system services are not appropriate to define at the Enterprise level. |
Identification And Authentication | Single Sign-On |
IA-2 (10) |
IA-2(10).1 |
Single sign-on enables users to log in once and gain access to multiple information system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources. |
The information system provides a single sign-on capability for [Assignment: organization-defined list of information system accounts and services]. |
| CCI-001944 |
The organization defines the information system services for which single sign-on capability will be provided. |
The organization conducting the inspection/assessment obtains and examines the documented system services to ensure the organization being inspected/assessed defines any services (e.g., websites) for which a single sign-on capability is provided.
DoD has determined the system services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents any services (e.g., websites) for which a single sign-on capability is provided.
DoD has determined the system services are not appropriate to define at the Enterprise level. |
Identification And Authentication | Single Sign-On |
IA-2 (10) |
IA-2(10).2 |
Single sign-on enables users to log in once and gain access to multiple information system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources. |
The information system provides a single sign-on capability for [Assignment: organization-defined list of information system accounts and services]. |
| CCI-001945 |
The information system provides a single sign-on capability for an organization-defined list of information system accounts. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide a single sign-on capability for the list of information system accounts defined in IA-2 (10), CCI 1943.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1945. |
The organization being inspected/assessed configures the information system to provide a single sign-on capability for the list of information system accounts defined in IA-2 (10), CCI 1943.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1945. |
Identification And Authentication | Single Sign-On |
IA-2 (10) |
IA-2(10).3 |
Single sign-on enables users to log in once and gain access to multiple information system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources. |
The information system provides a single sign-on capability for [Assignment: organization-defined list of information system accounts and services]. |
| CCI-001946 |
The information system provides a single sign-on capability for an organization-defined list of information system services. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to provide a single sign-on capability for the list of information system services defined in IA-2 (10), CCI 1944.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1946. |
The organization being inspected/assessed configures the information system to provide a single sign-on capability for the list of information system services defined in IA-2 (10), CCI 1944.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1946. |
Identification And Authentication | Single Sign-On |
IA-2 (10) |
IA-2(10).4 |
Single sign-on enables users to log in once and gain access to multiple information system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the increased risk from disclosures of single authenticators providing access to multiple system resources. |
The information system provides a single sign-on capability for [Assignment: organization-defined list of information system accounts and services]. |
| CCI-001947 |
The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access and is to provide one factor of a multifactor authentication for remote access to privileged accounts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).1 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001948 |
The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1948. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1948. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).2 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001949 |
The device used in the information system implementation of multifactor authentication for remote access to privileged accounts meets organization-defined strength of mechanism requirements. |
The organization conducting the inspection/assessment obtains and examines the device used to ensure that the device implemented for multifactor authentication for remote access to privileged accounts meets Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1949. |
The organization being inspected/assessed will use DoD PKI or a technology approved by their Authorizing Official that meet Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1949. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).3 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001950 |
The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access and is to provide one factor of a multifactor authentication for remote access to non-privileged accounts. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
For the strength of mechanism requirements DoD has defined requirements as DoD PKI or a technology approved by their Authorizing Official, FIPS 140-2, NIAP Certification, or NSA approval. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).4 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001951 |
The information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1951. |
The organization being inspected/assessed configures the information system to implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1951. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).5 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001952 |
The device used in the information system implementation of multifactor authentication for remote access to non-privileged accounts meets organization-defined strength of mechanism requirements. |
The organization conducting the inspection/assessment obtains and examines the device used to ensure that the device implemented for multifactor authentication for remote access to non-privileged accounts meets Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1952. |
The organization being inspected/assessed will use DoD PKI or a technology approved by their Authorizing Official that meet Federal standards for authentication such as FIPS 140-2, NIAP Certification, or NSA approval.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1952. |
Identification And Authentication | Remote Access - Separate Device |
IA-2 (11) |
IA-2(11).6 |
For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. |
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. |
| CCI-001953 |
The information system accepts Personal Identity Verification (PIV) credentials. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to accept PIV/CAC authentication.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1953. |
The organization being inspected/assessed configures the information system to accept PIV/CAC authentication.
This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1953 |
Identification And Authentication | Acceptance Of Piv Credentials |
IA-2 (12) |
IA-2(12).1 |
This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials. |
| CCI-001954 |
The information system electronically verifies Personal Identity Verification (PIV) credentials. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to verify PIV/CAC authentication.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1954. |
The organization being inspected/assessed configures the information system to verify PIV/CAC authentication.
This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS).
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1954. |
Identification And Authentication | Acceptance Of Piv Credentials |
IA-2 (12) |
IA-2(12).2 |
This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials. |
| CCI-001955 |
The organization defines the out-of-band authentication to be implemented by the information system under organization-defined conditions. |
The organization conducting the inspection/assessment obtains and examines the documented out-of-band authentication to ensure the organization being inspected/assessed defines the out-of-band authentication to be implemented by the information system under organization-defined conditions.
DoD has determined the out-of-band authentication is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the out-of-band authentication to be implemented by the information system under organization-defined conditions.
DoD has determined the out-of-band authentication is not appropriate to define at the Enterprise level. |
Identification And Authentication | Out-Of-Band Authentication |
IA-2 (13) |
IA-2(13).1 |
Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access, and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user's cell phone to verify that the requested action originated from the user. The user may either confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. This type of authentication can be employed by organizations to mitigate actual or suspected man-in the-middle attacks. The conditions for activation can include, for example, suspicious activities, new threat indicators or elevated threat levels, or the impact level or classification level of information in requested transactions. Related controls: IA-10, IA-11, SC-37. |
The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions]. |
| CCI-001956 |
The organization defines the conditions for which the information system implements organization-defined out-of-band authentication. |
The organization conducting the inspection/assessment obtains and examines the documented conditions to ensure the organization being inspected/assessed defines the conditions for which the information system implements organization-defined out-of-band authentication.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the conditions for which the information system implements organization-defined out-of-band authentication.
DoD has determined the conditions are not appropriate to define at the Enterprise level. |
Identification And Authentication | Out-Of-Band Authentication |
IA-2 (13) |
IA-2(13).2 |
Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access, and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user's cell phone to verify that the requested action originated from the user. The user may either confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. This type of authentication can be employed by organizations to mitigate actual or suspected man-in the-middle attacks. The conditions for activation can include, for example, suspicious activities, new threat indicators or elevated threat levels, or the impact level or classification level of information in requested transactions. Related controls: IA-10, IA-11, SC-37. |
The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions]. |
| CCI-001957 |
The information system implements organization-defined out-of-band authentication under organization-defined conditions. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to implement out-of-band authentication defined in IA-2 (13), CCI 1955 under conditions defined in IA-2 (13), CCI 1956.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1957. |
The organization being inspected/assessed configures the information system to implement out-of-band authentication defined in IA-2 (13), CCI 1955 under conditions defined in IA-2 (13), CCI 1956.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1957. |
Identification And Authentication | Out-Of-Band Authentication |
IA-2 (13) |
IA-2(13).3 |
Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path), is used to identify and authenticate users or devices, and generally is the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access, and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user's cell phone to verify that the requested action originated from the user. The user may either confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. This type of authentication can be employed by organizations to mitigate actual or suspected man-in the-middle attacks. The conditions for activation can include, for example, suspicious activities, new threat indicators or elevated threat levels, or the impact level or classification level of information in requested transactions. Related controls: IA-10, IA-11, SC-37. |
The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions]. |
| CCI-001958 |
The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection. |
The organization conducting the inspection/assessment examine a sampling of the network infrastructure device configurations to ensure devices connecting to the infrastructure are uniquely authenticated.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1958. |
The organization being inspected/assessed configures the network infrastructure to authenticate all mobiles devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs) before establishing a local, remote, network connection.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1958.
DoD has defined the value as all mobile devices and network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
Device Identification And Authentication |
IA-3 |
IA-3.3 |
Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. Related controls: AC-17, AC-18, AC-19, CA-3, IA-4, IA-5. |
The information system uniquely identifies and authenticates [Assignment: organization defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. |
| CCI-001959 |
The organization defines the specific devices and/or type of devices the information system is to authenticate before establishing a connection. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the value as all network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
DoD has defined the value as all network connected endpoint devices (including but not limited to: workstations, printers, servers (outside a datacenter), VoIP Phones, VTC CODECs). |
Device Identification And Authentication | Cryptographic Bidirectional Authentication |
IA-3 (1) |
IA-3(1).1 |
A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections). Related controls: SC-8, SC-12, SC-13. |
The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based. |
| CCI-001960 |
The organization defines the lease information to be assigned to devices. |
The organization conducting the inspection/assessment obtains and examines the documented lease information assigned to devices.
DoD has determined the lease information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the lease information to be assigned to devices.
DoD has determined the lease information is not appropriate to define at the Enterprise level. |
Device Identification And Authentication | Dynamic Address Allocation |
IA-3 (3) |
IA-3(3).1 |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices. Related controls: AU-2, AU-3, AU-6, AU-12. |
The organization:
(a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audits lease information when assigned to a device. |
| CCI-001961 |
The organization defines the lease duration to be assigned to devices. |
The organization conducting the inspection/assessment obtains and examines the documented lease duration to ensure the organization being inspected/assessed defines the lease duration to be assigned to devices.
DoD has determined the lease duration is not appropriate to define at the Enterprise level |
The organization being inspected/assessed defines and documents the lease duration to be assigned to devices.
DoD has determined the lease duration is not appropriate to define at the Enterprise level. |
Device Identification And Authentication | Dynamic Address Allocation |
IA-3 (3) |
IA-3(3).2 |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices. Related controls: AU-2, AU-3, AU-6, AU-12. |
The organization:
(a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audits lease information when assigned to a device. |
| CCI-001962 |
The organization standardizes dynamic address allocation lease information assigned to devices in accordance with organization-defined lease information. |
The organization conducting the inspection/assessment examines the information system granting the lease to ensure the organization configures the information system to implement dynamic address allocation in accordance with CCI 1961.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1962. |
The organization being inspected/assessed configures the information system to grant leases containing organization defined lease information.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1962. |
Device Identification And Authentication | Dynamic Address Allocation |
IA-3 (3) |
IA-3(3).3 |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices. Related controls: AU-2, AU-3, AU-6, AU-12. |
The organization:
(a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audits lease information when assigned to a device. |
| CCI-001963 |
The organization standardizes dynamic address allocation lease duration assigned to devices in accordance with organization-defined lease duration. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to grant the leases assigned to devices in accordance with organization-defined lease duration.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1963. |
The organization being inspected/assessed configures the information system to grant the leases assigned to devices in accordance with organization-defined lease duration.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1963. |
Device Identification And Authentication | Dynamic Address Allocation |
IA-3 (3) |
IA-3(3).4 |
DHCP-enabled clients obtaining leases for IP addresses from DHCP servers, is a typical example of dynamic address allocation for devices. Related controls: AU-2, AU-3, AU-6, AU-12. |
The organization:
(a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audits lease information when assigned to a device. |
| CCI-001964 |
The organization defines the configuration management process that is to handle the device identification procedures. |
|
|
|
|
|
|
|
| CCI-001965 |
The organization defines the configuration management process that is to handle the device authentication procedures. |
The organization conducting the inspection/assessment obtains and examines the documented configuration management process to ensure the organization being inspected/assessed defines the configuration management process that is to handle the device authentication procedures.
DoD has determined the configuration management process is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the configuration management process that is to handle the device authentication procedures.
DoD has determined the configuration management process is not appropriate to define at the Enterprise level. |
Device Identification And Authentication | Device Attestation |
IA-3 (4) |
IA-3(4).1 |
Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. This might be determined via some cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the those patches/updates are done securely and at the same time do not disrupt the identification and authentication to other devices. |
The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]. |
| CCI-001966 |
The organization ensures that device identification based on attestation is handled by the organization-defined configuration management process. |
The organization conducting the inspection/assessment obtains and examines the documented configuration management process to ensure the organization being inspected/assessed has device identification based on attestation handled via the configuration management process. |
The organization being inspected/assessed ensures that device identification based on attestation is handled by the configuration management process defined in IA-3 (4), CCI 1968. |
Device Identification And Authentication | Device Attestation |
IA-3 (4) |
IA-3(4).2 |
Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. This might be determined via some cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the those patches/updates are done securely and at the same time do not disrupt the identification and authentication to other devices. |
The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]. |
| CCI-001967 |
The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |
The organization conducting the inspection/assessment examine a sampling of the network infrastructure device configurations to ensure devices connecting to the infrastructure use cryptographically based bidirectional authentication.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1967. |
The organization being inspected/assessed configures the information system to use cryptographically based bidirectional authentication.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1967. |
Device Identification And Authentication | Cryptographic Bidirectional Authentication |
IA-3 (1) |
IA-3(1).2 |
A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections). Related controls: SC-8, SC-12, SC-13. |
The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based. |
| CCI-001968 |
The organization defines the configuration management process that is to handle the device identification procedures. |
The organization conducting the inspection/assessment obtains and examines the documented configuration management process to ensure the organization being inspected/assessed defines the configuration management process that is to handle the device identification procedures.
DoD has determined the configuration management process is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the configuration management process that is to handle the device identification procedures.
DoD has determined the configuration management process is not appropriate to define at the Enterprise level. |
Device Identification And Authentication | Device Attestation |
IA-3 (4) |
IA-3(4).3 |
Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. This might be determined via some cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the those patches/updates are done securely and at the same time do not disrupt the identification and authentication to other devices. |
The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]. |
| CCI-001969 |
The organization ensures that device authentication based on attestation is handled by the organization-defined configuration management process. |
The organization conducting the inspection/assessment obtains and examines the documented configuration management process to ensure the organization being inspected/assessed has device authentication based on attestation handled via the configuration management process. |
The organization being inspected/assessed ensures that device authentication based on attestation is handled by the configuration management process defined in IA-3 (4), CCI 1965. |
Device Identification And Authentication | Device Attestation |
IA-3 (4) |
IA-3(4).4 |
Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. This might be determined via some cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the those patches/updates are done securely and at the same time do not disrupt the identification and authentication to other devices. |
The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process]. |
| CCI-001970 |
The organization defines the personnel or roles that authorize the assignment of individual, group, role, and device identifiers. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the ISSM or ISSO. |
DoD has defined the personnel or roles as the ISSM or ISSO. |
Identifier Management |
IA-4 |
IA-4.1 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001971 |
The organization manages information system identifiers by receiving authorization from organization-defined personnel or roles to assign an individual, group, role, or device identifier. |
The organization conducting the inspection/assessment obtains and examines documentation and system configuration information to ensure the organization being inspected/assessed manages information system identifiers by receiving authorization from the ISSM or ISSO to assign an individual, group, role or device identifier.
DoD has defined the personnel or roles as the ISSM or ISSO. |
The organization being inspected/assessed implements a process to manage information system identifiers by receiving authorization from the ISSM or ISSO to assign an individual, group, role or device identifier.
DoD has defined the personnel or roles as the ISSM or ISSO. |
Identifier Management |
IA-4 |
IA-4.2 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001972 |
The organization manages information system identifiers by selecting an identifier that identifies an individual, group, role, or device. |
The organization conducting the inspection/assessment obtains and examines documentation or system configuration information to ensure the organization being inspected/assessed manages information system identifiers by selecting an identifier that identifies an individual, group, role, or device. |
The organization being inspected/assessed implements a process to manage information system identifiers by selecting an identifier that identifies an individual, group, role, or device. |
Identifier Management |
IA-4 |
IA-4.3 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001973 |
The organization manages information system identifiers by assigning the identifier to the intended individual, group, role, or device. |
The organization conducting the inspection/assessment obtains and examines documentation or system configuration information to ensure the organization being inspected/assessed manages information system identifiers by assigning the identifier to the intended individual, group, role, or device. |
The organization being inspected/assessed implements a process to manage information system identifiers by assigning the identifier to the intended individual, group, role, or device. |
Identifier Management |
IA-4 |
IA-4.4 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001974 |
The organization defines the time period for which the reuse of identifiers is prohibited. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 1 year for user identifiers (DoD is not going to specify value for device identifier). |
DoD has defined the time period as 1 year for user identifiers (DoD is not going to specify value for device identifier). |
Identifier Management |
IA-4 |
IA-4.5 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001975 |
The organization manages information system identifiers by preventing reuse of identifiers for an organization-defined time period. |
The organization conducting the inspection/assessment obtains and examines documentation or system configuration information to ensure the organization being inspected/assessed prevents the reuse of identifiers for 1 year for user identifiers (DoD is not going to specify value for device identifier).
DoD has defined the time period as 1 year for user identifiers (DoD is not going to specify value for device identifier). |
The organization being inspected/assessed implements a process for information system identifiers to prevent reuse of identifiers for 1 year for user identifiers (DoD is not going to specify value for device identifier).
DoD has defined the time period as 1 year for user identifiers (DoD is not going to specify value for device identifier). |
Identifier Management |
IA-4 |
IA-4.6 |
Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. |
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. |
| CCI-001976 |
The information system dynamically manages identifiers. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically manage identifiers.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1976. |
The organization being inspected/assessed configures the information system to dynamically manage identifiers.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1976. |
Identifier Management | Dynamic Management |
IA-4 (5) |
IA-4(5).1 |
In contrast to conventional approaches to identification which presume static accounts for preregistered users, many distributed information systems including, for example, service-oriented architectures, rely on establishing identifiers at run time for entities that were previously unknown. In these situations, organizations anticipate and provision for the dynamic establishment of identifiers. Preestablished trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential. Related control: AC-16. |
The information system dynamically manages identifiers. |
| CCI-001977 |
The organization defines the external organizations with which it will coordinate for cross-management of identifiers. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
Identifier Management | Cross-Organization Management |
IA-4 (6) |
IA-4(6).1 |
Cross-organization identifier management provides the capability for organizations to appropriately identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information. |
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers. |
| CCI-001978 |
The organization coordinates with organization-defined external organizations for cross-organization management of identifiers. |
The organization conducting the inspection/assessment obtains and examines the documentation (e.g., Service Level Agreements (SLAs), Memorandum of Understanding (MOU), Memorandum of Agreement (MOA), contracts, etc.) to ensure the organization being inspected/assessed implements a process to coordinate with any external organization that shares cross-organizational identifiers.
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
The organization being inspected/assessed documents and implements a process to coordinate with any external organization that shares cross-organizational identifiers.
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
Identifier Management | Cross-Organization Management |
IA-4 (6) |
IA-4(6).2 |
Cross-organization identifier management provides the capability for organizations to appropriately identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information. |
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers. |
| CCI-001979 |
The organization requires the registration process to receive an individual identifier be conducted in person before a designated registration authority. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires the registration process to receive an individual identifier be conducted in person before a designated registration authority. |
The organization being inspected/assessed documents and implements a process to require the registration process to receive an individual identifier be conducted in person before a designated registration authority. |
Identifier Management | In-Person Registration |
IA-4 (7) |
IA-4(7).1 |
In-person registration reduces the likelihood of fraudulent identifiers being issued because it requires the physical presence of individuals and actual face-to-face interactions with designated registration authorities. |
The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority. |
| CCI-002040 |
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires supervisor authorization to assign individual identifiers. |
The organization being inspected/assessed documents and implements a process that requires supervisor authorization to assign individual identifiers. |
Identifier Management | Supervisor Authorization |
IA-4 (2) |
IA-4(2).1 |
|
The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
| CCI-001980 |
The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for the secure distribution of authenticators to ensure they have been defined and that they include a method to verify the identify of the individual, group, role, or device receiving the authenticator. |
The organization being inspected/assessed defines and documents procedures for the secure distribution of authenticators. The process shall include verification of the identify of the individual, group, role, or device receiving the authenticator. |
Authenticator Management |
IA-5 |
IA-5.1 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001981 |
The organization manages information system authenticators by establishing administrative procedures for initial authenticator distribution. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for the secure distribution of authenticators to ensure they have been defined. |
The organization being inspected/assessed defines and documents procedures for the secure distribution of authenticators. |
Authenticator Management |
IA-5 |
IA-5.4 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001982 |
The organization manages information system authenticators by establishing administrative procedures for lost/compromised authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for lost/compromised authenticators to ensure they have been defined. |
The organization being inspected/assessed defines and documents procedures for lost/compromised authenticators. |
Authenticator Management |
IA-5 |
IA-5.5 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001983 |
The organization manages information system authenticators by establishing administrative procedures for damaged authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for the secure disposal of damaged authenticators to ensure they have been defined. |
The organization being inspected/assessed defines and documents procedures for the secure disposal of damaged authenticators. |
Authenticator Management |
IA-5 |
IA-5.6 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001984 |
The organization manages information system authenticators by establishing administrative procedures for revoking authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for revoking authenticators to ensure the procedures are defined. |
The organization being inspected/assessed defines and documents procedures for revoking authenticators. |
Authenticator Management |
IA-5 |
IA-5.7 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001985 |
The organization manages information system authenticators by implementing administrative procedures for initial authenticator distribution. |
The organization conducting the inspection/assessment obtains and examines records of initial authenticator distribution and interviews individuals responsible for authenticator distribution to ensure that the organization being inspected/assessed implements the process as defined in IA-5, CCIs 1980 & 1981. |
The organization being inspected/assessed implements administrative procedures for initial authenticator distribution as documented in IA-5, CCIs 1980 & 1981. |
Authenticator Management |
IA-5 |
IA-5.8 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001986 |
The organization manages information system authenticators by implementing administrative procedures for lost/compromised authenticators. |
The organization conducting the inspection/assessment obtains and examines documented procedures for the response to lost/compromised authenticators to ensure that the organization being inspected/assessed implements the process as defined in IA-5, CCI 1982. |
The organization being inspected/assessed implements administrative procedures for the response to lost/compromised authenticators as documented in IA-5, CCI 1982. |
Authenticator Management |
IA-5 |
IA-5.9 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001987 |
The organization manages information system authenticators by implementing administrative procedures for damaged authenticators. |
The organization conducting the inspection/assessment obtains and examines documented procedures for the response to damaged authenticators to ensure that the organization being inspected/assessed implements the process as defined in IA-5, CCI 1983. |
The organization being inspected/assessed implements administrative procedures for the response to damaged authenticators as documented in IA-5, CCI 1983. |
Authenticator Management |
IA-5 |
IA-5.10 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001988 |
The organization manages information system authenticators by implementing administrative procedures for revoking authenticators. |
The organization conducting the inspection/assessment obtains and examines the documented requirements placed upon developers/installers of information system components to ensure that there is a documented requirement to provide unique authenticators or change default authenticators prior to delivery/installation. |
The organization being inspected/assessed documents and enforces a requirement for developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation. |
Authenticator Management | Change Authenticators Prior To Delivery |
IA-5 (5) |
IA-5.11 |
This control enhancement extends the requirement for organizations to change default authenticators upon information system installation, by requiring developers and/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and/or installation. However, it typically does not apply to the developers of commercial off-the-shelve information technology products. Requirements for unique authenticators can be included in acquisition documents prepared by organizations when procuring information systems or system components. |
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation. |
| CCI-001989 |
The organization manages information system authenticators by changing default content of authenticators prior to information system installation. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to change default authenticators to ensure the procedures are defined.
The organization conducting the inspection/assessment obtains and examines a sampling of authenticator age data for default accounts to ensure that default authenticators are changed prior to installation. |
The organization being inspected/assessed documents and implements a procedures to change default authenticators prior to information system installation. |
Authenticator Management |
IA-5 |
IA-5.12 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001990 |
The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes. |
The organization conducting the inspection/assessment obtains and examines the documented procedures for group/role authenticator change to ensure the procedures are defined and applied when membership to those accounts changes.
The organization conducting the inspection/assessment obtains and examines a sampling of authenticator age data and documentation of personnel role changes to ensure that group/role authenticators are changed when membership changes. |
The organization being inspected/assessed documents and implements procedures for changing authenticators for group/role accounts when membership to those accounts changes. |
Authenticator Management |
IA-5 |
IA-5.22 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001991 |
The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to locally cache revocation data (CRLs and/or OCSP responses) to support path discovery and validation in case of inability to access revocation information via the network.
The organization conducting the inspection/assessment examines the information system to ensure that revocation data is cached for all PKIs serving known or anticipated users of the information system.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured a process for the information system to refresh cached revocation data prior to the data's expiration.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 1991. |
The information system must be configured to locally cache revocation data to support path discovery and validation in case of inability to access revocation information via the network. The information system may meet this requirement by locally caching certificate revocation lists (CRLs), Online Certificate Status Protocol (OCSP) responses, or a combination thereof.
Cached revocation data must include revocation information from all PKIs serving known or anticipated users of the information system. Cached data must be refreshed with a frequency shorter than the life of the data (e.g. if a CRL is valid for 7 days, a new CRL must be retrieved and cached more frequently than every 7 days) to ensure that cached data is valid and not expired.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 1991. |
Authenticator Management | PKI-Based Authentication |
IA-5 (2) |
IA-5(2).4 |
Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. |
The information system, for PKI-based authentication:
(a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
(b) Enforces authorized access to the corresponding private key;
(c) Maps the authenticated identity to the account of the individual or group; and
(d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-001992 |
The organization defines the personnel or roles responsible for authorizing the organization^s registration authority accountable for the authenticator registration process. |
The DoD PKI RA–LRA CPS defines the nomination process for DoD PKI RAs. The NSS PKI DoD RPS defines the nomination process for NSS PKI RAs for DoD.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI RA-LRA CPS and NSS PKI DoD RPS. |
The DoD PKI Registration Authority (RA) – Local Registration Authority (LRA) Certification Practice Statement (CPS) defines the nomination process for DoD PKI RAs. The NSS PKI DoD Registration Practice Statement (RPS) defines the nomination process for NSS PKI RAs for DoD.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI RA-LRA CPS and NSS PKI DoD RPS. |
Authenticator Management | In-Person Or Trusted Third-Party Registration |
IA-5 (3) |
IA-5(3).1 |
|
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
| CCI-001993 |
The organization defines the registration authority accountable for the authenticator registration process. |
The DoD PKI CP defines the role and responsibilities of a DoD PKI Registration Authority (RA). The NSS PKI CP defines the role and responsibilities of an NSS PKI RA.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
The DoD PKI Certificate Policy (CP) defines the role and responsibilities of a DoD PKI Registration Authority (RA). The NSS PKI CP defines the role and responsibilities of an NSS PKI RA.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
Authenticator Management | In-Person Or Trusted Third-Party Registration |
IA-5 (3) |
IA-5(3).2 |
|
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
| CCI-001994 |
The organization defines the types of and/or specific authenticators that are subject to the authenticator registration process. |
The DoD PKI CP defines DoD PKI subscribers and the authentication requirements for issuance of credentials to subscribers. The NSS PKI CP defines NSS PKI subscribers and the authentication requirements for issuance of credentials to subscribers.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
The DoD PKI Certificate Policy (CP) defines DoD PKI subscribers (entities identified as the subject of PKI certificates) and the authentication requirements for issuance of credentials to subscribers. The NSS PKI CP defines NSS PKI subscribers and the authentication requirements for issuance of credentials to subscribers.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
Authenticator Management | In-Person Or Trusted Third-Party Registration |
IA-5 (3) |
IA-5(3).3 |
|
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
| CCI-001995 |
The organization requires that the registration process, to receive organization-defined types of and/or specific authenticators, be conducted in person, or by a trusted third-party, before an organization-defined registration authority with authorization by organization-defined personnel or roles. |
The DoD PKI CP requires in-person authentication of DoD PKI applicants in accordance with each CMA's CPS prior to issuance of credentials. The NSS PKI CP requires in-person authentication of NSS PKI applicants by an RA or TA prior to issuance of credentials.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
The DoD PKI Certificate Policy (CP) requires in-person authentication of DoD PKI applicants in accordance with each Certificate Management Authority's (CMA's) Certification Practice Statement (CPS) prior to issuance of credentials. The NSS PKI CP requires in-person authentication of NSS PKI applicants by a Registration Authority (RA) or Trusted Agent (TA) prior to issuance of credentials.
DoD Components are automatically compliant with this CCI because they are covered by the DoD PKI CP and NSS PKI CP. |
Authenticator Management | In-Person Or Trusted Third-Party Registration |
IA-5 (3) |
IA-5(3).4 |
|
The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
| CCI-001996 |
The organization defines the requirements required by the automated tools to determine if password authenticators are sufficiently strong. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the requirements as the complexity as identified in IA-5 (1) Part A. |
DoD has defined the requirements as the complexity as identified in IA-5 (1) Part A. |
Authenticator Management | Automated Support For Password Strength Determination |
IA-5 (4) |
IA-5(4).1 |
This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. |
| CCI-001997 |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy organization-defined requirements. |
The organization conducting the inspection/assessment examines the automated tools and inspects the configuration of the automated tools to ensure that they are implemented to check password strength per the complexity requirements defined in IA-5 (1) Part A. |
The organization being inspected/assessed implements automated tools to check passwords strength per the complexity requirements defined in IA-5 (1) Part A. |
Authenticator Management | Automated Support For Password Strength Determination |
IA-5 (4) |
IA-5(4).2 |
This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. |
| CCI-001998 |
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation. |
The organization conducting the inspection/assessment obtains and examines documented procedures for revoking authenticators to ensure that the organization being inspected/assessed implements the process as defined in IA-5, CCI 1984. |
The organization being inspected/assessed implements administrative procedures for revoking authenticators as documented in IA-5, CCI 1984. |
Authenticator Management |
IA-5 |
IA-5(5).1 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-001999 |
The organization defines the external organizations to be coordinated with for cross-organization management of credentials. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
DoD has defined the external organizations as any external organization that shares cross-organizational identifiers. |
Authenticator Management | Cross-Organization Credential Management |
IA-5 (9) |
IA-5(9).2 |
Cross-organization management of credentials provides the capability for organizations to appropriately authenticate individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information. |
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials. |
| CCI-002000 |
The organization coordinates with organization-defined external organizations for cross-organization management of credentials. |
The organization conducting the inspection/assessment obtains and examines the documented process and a sampling of coordination records to ensure the organization being inspected/assessed coordinates with external organizations defined in IA-5 (9), CCI 1999 for cross-organization management of credentials. |
The organization being inspected/assessed documents and implements a process to coordinate with external organizations defined in IA-5 (9), CCI 1999 for cross-organization management of credentials.
The organization maintains records of coordination. |
Authenticator Management | Cross-Organization Credential Management |
IA-5 (9) |
IA-5(9).1 |
Cross-organization management of credentials provides the capability for organizations to appropriately authenticate individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information. |
The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials. |
| CCI-002001 |
The information system dynamically provisions identities. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to dynamically provision identities.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2001. |
The organization being inspected/assessed configures the information system to dynamically provision identities.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2001. |
Authenticator Management | Dynamic Credential Association |
IA-5 (10) |
IA-5(10).1 |
Authentication requires some form of binding between an identity and the authenticator used to confirm the identity. In conventional approaches, this binding is established by pre-provisioning both the identity and the authenticator to the information system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the information system. New authentication techniques allow the binding between the identity and the authenticator to be implemented outside an information system. For example, with smartcard credentials, the identity and the authenticator are bound together on the card. Using these credentials, information systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Preestablished trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential. |
The information system dynamically provisions identities. |
| CCI-002002 |
The organization defines the token quality requirements to be employed by the information system mechanisms for token-based authentication. |
DoDI 8520.03 defines types of authentication credentials that are acceptable for authentication to different systems based on the systems' information sensitivity levels and the users' access environments. The definitions for credential strengths D, E and H found in DoDI 8520.03 Enclosure 3, Section 3 specifically deal with acceptable types of hardware PKI credentials.
DoD Components are automatically compliant with this CCI because they are covered by the DoD-level policy, DoDI 8520.03. |
DoDI 8520.03 defines types of authentication credentials that are acceptable for authentication to different systems based on the systems' information sensitivity levels and the users' access environments. The definitions for credential strengths D, E and H found in DoDI 8520.03 Enclosure 3, Section 3 specifically deal with acceptable types of hardware PKI credentials.
DoD Components are automatically compliant with this CCI because they are covered by the DoD-level policy, DoDI 8520.03. |
Authenticator Management | Hardware Token-Based Authentication |
IA-5 (11) |
IA-5(11).1 |
Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI. |
The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]. |
| CCI-002003 |
The information system, for token-based authentication, employs mechanisms that satisfy organization-defined token quality requirements. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved PKI credentials in accordance with (IAW) DoDI 8520.02 and DoDI 8520.03.
If the information system accepts DoD-approved external PKI credentials, the organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved external PKI credentials that assert an approved Certificate Policy OID and reject credentials issued off of DoD-approved external PKIs that do not assert an approved OID. |
The information system performing hardware token-based authentication must be configured to accept only DoD-approved PKI credentials in accordance with DoDI 8520.02 and DoDI 8520.03. For unclassified systems, DoD-approved PKI credentials include DoD PKI credentials, External Certification Authority (ECA) PKI credentials, and DoD-approved external PKI credentials. For SIPRNet, DoD-approved PKI credentials include DoD PKI credentials and NSS PKI credentials.
If the information system accepts DoD-approved external PKI credentials, the information system must be configured to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. The current list of DoD-approved external PKIs and acceptable Object Identifiers (OIDs) for each approved external PKI is available at http://iase.disa.mil/pki-pke/interoperability. |
Authenticator Management | Hardware Token-Based Authentication |
IA-5 (11) |
IA-5(11).2 |
Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI. |
The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]. |
| CCI-002004 |
The organization defines the biometric quality requirements to be employed by the information system mechanisms for biometric-based authentication. |
The organization conducting the inspection/assessment obtains and examines documented requirements to ensure they have been defined and include minimum requirements for accurate identification.
DoD has determined the biometric quality requirements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents quality requirements to be employed by the information system mechanisms. Quality requirements shall include minimum requirements for accurate identification.
NIST has draft documentation for biometrics available at http://csrc.nist.gov/publications/PubsSPs.html.
DoD has determined the biometric quality requirements are not appropriate to define at the Enterprise level. |
Authenticator Management | Biometric Authentication |
IA-5 (12) |
IA-5(12).1 |
Unlike password-based authentication which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide such exact matches. Depending upon the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and stored biometric which serves as the basis of comparison. There will likely be both false positives and false negatives when making such comparisons. The rate at which the false accept and false reject rates are equal is known as the crossover rate. Biometric quality requirements include, for example, acceptable crossover rates, as that essentially reflects the accuracy of the biometric. |
The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements]. |
| CCI-002005 |
The information system, for biometric-based authentication, employs mechanisms that satisfy organization-defined biometric quality requirements. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to employ mechanisms that satisfy biometric quality requirements as defined in IA-5 (12), CCI 2004 for biometric-based authentication.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2005. |
The organization being inspected/assessed configures the information system to employ mechanisms that satisfy biometric quality requirements as defined in IA-5 (12), CCI 2004 for biometric-based authentication.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2005. |
Authenticator Management | Biometric Authentication |
IA-5 (12) |
IA-5(12).2 |
Unlike password-based authentication which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide such exact matches. Depending upon the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and stored biometric which serves as the basis of comparison. There will likely be both false positives and false negatives when making such comparisons. The rate at which the false accept and false reject rates are equal is known as the crossover rate. Biometric quality requirements include, for example, acceptable crossover rates, as that essentially reflects the accuracy of the biometric. |
The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements]. |
| CCI-002006 |
The organization defines the time period after which the use of cached authenticators is prohibited. |
The organization conducting the inspection/assessment obtains and examines the documented time period to ensure it has been defined.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the time period after which the use of cached authenticators are prohibited.
DoD has determined the time period is not appropriate to define at the Enterprise level. |
Authenticator Management | Expiration Of Cached Authenticators |
IA-5 (13) |
IA-5(13).1 |
|
The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period]. |
| CCI-002007 |
The information system prohibits the use of cached authenticators after an organization-defined time period. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to prohibit the use of cached authenticators after an organization defined time period.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2007. |
The organization being inspected/assessed configures the information system to prohibit the use of cached authenticators after an organization defined time period.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2007. |
Authenticator Management | Expiration Of Cached Authenticators |
IA-5 (13) |
IA-5(13).2 |
|
The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period]. |
| CCI-002008 |
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications. |
DoD trust store management requirements are defined in information system components' applicable STIGs and SRGs. All information systems are required to undergo a STIG compliance review as part of their certification and accreditation process prior to being granted an authority to operate.
DoD Components are automatically compliant with this CCI because they are covered by the DoD-level STIGs and SRGs. |
DoD trust store management requirements are defined in information system components' applicable STIGs and SRGs. All information systems are required to undergo a STIG compliance review as part of their certification and accreditation process prior to being granted an authority to operate.
DoD Components are automatically compliant with this CCI because they are covered by the DoD-level STIGs and SRGs. |
Authenticator Management | Managing Content Of PKI Trust Stores |
IA-5 (14) |
IA-5(14).1 |
|
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications. |
| CCI-002041 |
The information system allows the use of a temporary password for system logons with an immediate change to a permanent password. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to allow the use of a temporary password for system logons with an immediate change to a permanent password.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2041. |
The organization being inspected/assessed configures the information system to allow the use of a temporary password for system logons with an immediate change to a permanent password.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2041. |
Authenticator Management | Password-Based Authentication |
IA-5 (1) |
IA-5(1).20 |
This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. Related control: IA-6. |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-002042 |
The organization manages information system authenticators by protecting authenticator content from unauthorized modification. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to manage information system authenticators by protecting authenticator content from unauthorized modification.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2042. |
The organization being inspected/assessed configures the information system to manage information system authenticators by protecting authenticator content from unauthorized modification.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2042. |
Authenticator Management |
IA-5 |
IA-5.18 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-002043 |
The organization uses only FICAM-approved path discovery and validation products and services. |
The organization conducting the inspection/assessment obtains and examines the list of path discovery and validation products and services in use to ensure the organization being inspected/assessed uses only FICAM-approved path discovery and validation products and services. |
The organization being inspected/assessed uses only Federal Identity,
Credential, and Access Management (FICAM)-approved path discovery and validation products and services.
FICAM Guidance is available at http://www.idmanagement.gov. |
Authenticator Management | FICAM-Approved Products And Services |
IA-5 (15) |
IA-5(15).1 |
Federal Identity, Credential, and Access Management (FICAM)-approved path discovery and validation products and services are those products and services that have been approved through the FICAM conformance program, where applicable. |
The organization uses only FICAM-approved path discovery and validation products and services. |
| CCI-002365 |
The organization manages information system authenticators by requiring individuals to take specific security safeguards to protect authenticators. |
The organization conducting the inspection/assessment obtains and examines the user agreements of the organization being inspected/assessed to ensure that there are requirements for individuals to safeguard authenticators. |
The organization being inspected/assessed documents within user agreements that individuals shall safeguard authenticators. |
Authenticator Management |
IA-5 |
IA-5.20 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-002366 |
The organization manages information system authenticators by having devices implement specific security safeguards to protect authenticators. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to manage information system authenticators by having devices implement, specific security safeguards to protect authenticators.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2366. |
The organization being inspected/assessed configures the information system to manage information system authenticators by having devices implement, specific security safeguards to protect authenticators.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2366. |
Authenticator Management |
IA-5 |
IA-5.21 |
Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. |
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| CCI-002367 |
The organization ensures unencrypted static authenticators are not embedded in applications. |
The organization conducting the inspection/assessment obtains and examines the requirements that static authenticators are not embedded in applications to ensure the organization being inspected/assessed ensures unencrypted static authenticators are not embedded in applications. |
The organization being inspected/assessed documents and implements requirements that static authenticators are not embedded in applications. |
Authenticator Management | No Embedded Unencrypted Static Authenticators |
IA-5 (7) |
IA-5(7).3 |
Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password). |
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. |
| CCI-002009 |
The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept DoD-approved external PKI PIV credentials in accordance with DoDI 8520.02 and DoDI 8520.03.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved external PKI PIV credentials that assert an approved Certificate Policy OID and reject credentials issued off of DoD-approved external PKIs that do not assert an approved OID.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2009. |
The information system performing hardware token-based authentication must be configured to accept DoD-approved external PKI PIV credentials to authenticate federal agency users in accordance with DoDI 8520.02 and DoDI 8520.03. The information system must be configured to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. The current list of DoD-approved external PKIs and acceptable Object Identifiers (OIDs) for each approved external PKI is available at http://iase.disa.mil/pki-pke/interoperability.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2009. |
Identification And Authentication | Acceptance Of Piv Credentials From Other Agencies |
IA-8 (1) |
IA-8(1).1 |
This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies. |
| CCI-002010 |
The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to validate DoD-approved external PKI PIV credentials in accordance with RFC 5280.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to perform a revocation check as part of the certificate validation process.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2010. |
The information system performing hardware token-based authentication must be configured to validate DoD-approved external PKI PIV credentials to authenticate federal agency users in accordance with RFC 5280.
The information system must be configured to perform a revocation check as part of the certificate validation process. Revocation checking may be performed using certificate revocation lists (CRLs) published by the issuing PKI or Online Certificate Status Protocol (OCSP) services.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2010. |
Identification And Authentication | Acceptance Of Piv Credentials From Other Agencies |
IA-8 (1) |
IA-8(1).2 |
This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies. |
| CCI-002011 |
The information system accepts FICAM-approved third-party credentials. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to accept FICAM-approved third-party credentials
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2011. |
The organization being inspected/assessed configures the information system to accept Federal Identity, Credential, and Access Management (FICAM)-approved third-party credentials.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2011.
FICAM Guidance is available at http://www.idmanagement.gov. |
Identification And Authentication | Acceptance Of Third-Party Credentials |
IA-8 (2) |
IA-8(2).1 |
This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels. Related control: AU-2. |
The information system accepts only FICAM-approved third-party credentials. |
| CCI-002012 |
The organization defines the information systems which will employ only FICAM-approved information system components. |
The organization conducting the inspection/assessment obtains and examines the documented information systems to ensure they have been defined.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information systems which will employ only Federal Identity, Credential, and Access Management (FICAM)-approved information system components.
DoD has determined the information systems are not appropriate to define at the Enterprise level. |
Identification And Authentication | Use Of FICAM-Approved Products |
IA-8 (3) |
IA-8(3).1 |
This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program. Related control: SA-4. |
The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials. |
| CCI-002013 |
The organization employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials. |
The organization conducting the inspection/assessment obtains and examines the list of information system components in use to ensure the organization being inspected/assessed uses only FICAM-approved components in information systems defined in IA-8 (3), CCI 2012. |
The organization being inspected/assessed employs only Federal Identity,
Credential, and Access Management (FICAM)-approved information system components to accept third-party credentials in information systems defined in IA-8 (3), CCI 2012.
FICAM Guidance is available at http://www.idmanagement.gov. |
Identification And Authentication | Use Of FICAM-Approved Products |
IA-8 (3) |
IA-8(3).2 |
This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program. Related control: SA-4. |
The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials. |
| CCI-002014 |
The information system conforms to FICAM-issued profiles. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to conform to FICAM-issued profiles.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2014. |
The organization being inspected/assessed configures the information system to conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2014.
FICAM Guidance is available at http://www.idmanagement.gov. |
Identification And Authentication | Use Of FICAM-Issued Profiles |
IA-8 (4) |
IA-8(4).1 |
This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange). Related control: SA-4. |
The information system conforms to FICAM-issued profiles. |
| CCI-002015 |
The information system accepts Personal Identity Verification-I (PIV-I) credentials. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept DoD-approved external PKI PIV-I credentials in accordance with DoDI 8520.02, DoDI 8520.03, and DoD CIO Memorandum “Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials” dated 24 January 2013.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to accept only DoD-approved external PKI PIV-I credentials that assert an approved Certificate Policy OID and reject credentials issued off of DoD-approved external PKIs that do not assert an approved OID.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2015. |
The information system performing hardware token-based authentication must be configured to accept DoD-approved external PKI PIV-I credentials in accordance with DoDI 8520.02, DoDI 8520.03, and DoD CIO Memorandum “Department of Defense Requirements for Accepting Non-Federally Issued Identity Credentials” dated 24 January 2013. The information system must be configured to accept only certificates at approved assurance levels, as represented by the Certificate Policy Object Identifiers (OIDs) asserted in the certificate. The current list of DoD-approved external PKIs and acceptable Object Identifiers (OIDs) for each approved external PKI is available at http://iase.disa.mil/pki-pke/interoperability.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2015. |
Identification And Authentication | Acceptance Of Piv-I Credentials |
IA-8 (5) |
IA-8(5).1 |
This control enhancement: (i) applies to logical and physical access control systems; and (ii) addresses Non-Federal Issuers (NFIs) of identity cards that desire to interoperate with United States Government Personal Identity Verification (PIV) information systems and that can be trusted by federal government-relying parties. The X.509 certificate policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is suitable for Assurance Level 4 as defined in OMB Memorandum 04-04 and NIST Special Publication 800-63, and multifactor authentication as defined in NIST Special Publication 800-116. PIV-I credentials are those credentials issued by a PIV-I provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified (directly or through another PKI bridge) with the FBCA with policies that have been mapped and approved as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy. Related control: AU-2. |
The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials. |
| CCI-002016 |
The information system electronically verifies Personal Identity Verification-I (PIV-I) credentials. |
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to validate DoD-approved external PKI PIV-I credentials in accordance with RFC 5280.
The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed has configured the information system to perform a revocation check as part of the certificate validation process.
For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2016. |
The information system performing hardware token-based authentication must be configured to validate DoD-approved external PKI PIV-I credentials in accordance with RFC 5280.
The information system must be configured to perform a revocation check as part of the certificate validation process. Revocation checking may be performed using certificate revocation lists (CRLs) published by the issuing PKI or Online Certificate Status Protocol (OCSP) services.
For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 2016. |
Identification And Authentication | Acceptance Of Piv-I Credentials |
IA-8 (5) |
IA-8(5).2 |
This control enhancement: (i) applies to logical and physical access control systems; and (ii) addresses Non-Federal Issuers (NFIs) of identity cards that desire to interoperate with United States Government Personal Identity Verification (PIV) information systems and that can be trusted by federal government-relying parties. The X.509 certificate policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is suitable for Assurance Level 4 as defined in OMB Memorandum 04-04 and NIST Special Publication 800-63, and multifactor authentication as defined in NIST Special Publication 800-116. PIV-I credentials are those credentials issued by a PIV-I provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified (directly or through another PKI bridge) with the FBCA with policies that have been mapped and approved as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy. Related control: AU-2. |
The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials. |
| CCI-002017 |
The organization defines the information system services requiring identification. |
The organization conducting the inspection/assessment obtains and examines the documented information system services to ensure they have been defined.
DoD has determined the information system services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system services requiring identification.
DoD has determined the information system services are not appropriate to define at the Enterprise level. |
Service Identification And Authentication |
IA-9 |
IA-9.1 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002018 |
The organization defines the information system services requiring authentication. |
The organization conducting the inspection/assessment obtains and examines the documented information system services to ensure they have been defined.
DoD has determined the information system services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the information system services requiring authentication.
DoD has determined the information system services are not appropriate to define at the Enterprise level. |
Service Identification And Authentication |
IA-9 |
IA-9.2 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002019 |
The organization defines the security safeguards to be used when identifying information system services. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure they have been defined and offers sufficient security.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be used when identifying information system services.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Service Identification And Authentication |
IA-9 |
IA-9.3 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002020 |
The organization defines the security safeguards to be used when authenticating information system services. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure they have been defined and offers sufficient security.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the security safeguards to be used when authenticating information system services.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Service Identification And Authentication |
IA-9 |
IA-9.4 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002021 |
The organization identifies organization-defined information system services using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed identifies information system services defined in IA-9, CCIs 2017 & 2018 using security safeguards defined in IA-9, CCIs 2019-2020. |
The organization being inspected/assessed documents and implements a process to identify information system services defined in IA-9, CCIs 2017 & 2018 using security safeguards defined in IA-9, CCIs 2019-2020. |
Service Identification And Authentication |
IA-9 |
IA-9.5 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002022 |
The organization authenticates organization-defined information system services using organization-defined security safeguards. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed authenticates information system services defined in IA-9, CCIs 2017 & 2018 using security safeguards defined in IA-9, CCIs 2019-2020. |
The organization being inspected/assessed documents and implements a process to authenticate information system services defined in IA-9, CCIs 2017 & 2018 using security safeguards defined in IA-9, CCIs 2019-2020. |
Service Identification And Authentication |
IA-9 |
IA-9.6 |
This control supports service-oriented architectures and other distributed architectural approaches requiring the identification and authentication of information system services. In such architectures, external services often appear dynamically. Therefore, information systems should be able to determine in a dynamic manner, if external providers and associated services are authentic. Safeguards implemented by organizational information systems to validate provider and service authenticity include, for example, information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services. |
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. |
| CCI-002023 |
The organization ensures that service providers receive identification information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers receive identification information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers receive identification information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).1 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002024 |
The organization ensures that service providers validate identification information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers validate identification information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers validate identification information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).2 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002025 |
The organization ensures that service providers transmit identification information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers transmit identification information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers transmit identification information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).3 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002026 |
The organization ensures that service providers receive authentication information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers receive authentication information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers receive authentication information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).4 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002027 |
The organization ensures that service providers validate authentication information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers validate authentication information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers validate authentication information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).5 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002028 |
The organization ensures that service providers transmit authentication information. |
The organization conducting the inspection/assessment reviews the process to ensure that service providers transmit authentication information to ensure the process is effectively implemented. |
The organization being inspected/assessed implements a process to ensure that service providers transmit authentication information. |
Service Identification And Authentication | Information Exchange |
IA-9 (1) |
IA-9(1).6 |
|
The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| CCI-002029 |
The organization defines the services between which identification decisions are to be transmitted. |
The organization conducting the inspection/assessment obtains and examines the documented services to ensure they have been defined.
DoD has determined the services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the services between which identification decisions are to be transmitted.
DoD has determined the services are not appropriate to define at the Enterprise level. |
Service Identification And Authentication | Transmission Of Decisions |
IA-9 (2) |
IA-9(2).1 |
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification and authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification and authentication decisions (as opposed to the actual identifiers and authenticators) to the services that need to act on those decisions. Related control: SC-8. |
The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies. |
| CCI-002030 |
The organization defines the services between which authentication decisions are to be transmitted. |
The organization conducting the inspection/assessment obtains and examines the documented services to ensure they have been defined.
DoD has determined the services are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the services between which authentication decisions are to be transmitted.
DoD has determined the services are not appropriate to define at the Enterprise level. |
Service Identification And Authentication | Transmission Of Decisions |
IA-9 (2) |
IA-9(2).2 |
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification and authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification and authentication decisions (as opposed to the actual identifiers and authenticators) to the services that need to act on those decisions. Related control: SC-8. |
The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies. |
| CCI-002031 |
The organization ensures that identification decisions are transmitted between organization-defined services consistent with organizational policies. |
The organization conducting the inspection/assessment reviews the process to ensure the organization being inspected/assessed implements policies for transmitting identification decisions between services defined in IA-9 (2), CCI 2029. |
The organization being inspected/assessed implements a process to ensure that identification decisions are transmitted between services defined in IA-9 (2), CCI 2029 consistent with organizational policies. |
Service Identification And Authentication | Transmission Of Decisions |
IA-9 (2) |
IA-9(2).3 |
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification and authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification and authentication decisions (as opposed to the actual identifiers and authenticators) to the services that need to act on those decisions. Related control: SC-8. |
The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies. |
| CCI-002032 |
The organization ensures that authentication decisions are transmitted between organization-defined services consistent with organizational policies. |
The organization conducting the inspection/assessment reviews the process to ensure the organization being inspected/assessed implements policies for transmitting authentication decisions between services defined in IA-9 (2), CCI 2030. |
The organization being inspected/assessed implements a process to ensure that authentication decisions are transmitted between services defined in IA-9 (2), CCI 2030 consistent with organizational policies. |
Service Identification And Authentication | Transmission Of Decisions |
IA-9 (2) |
IA-9(2).4 |
For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification and authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification and authentication decisions (as opposed to the actual identifiers and authenticators) to the services that need to act on those decisions. Related control: SC-8. |
The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies. |
| CCI-002033 |
The organization defines the specific circumstances or situations when individuals accessing an information system employ organization-defined supplemental authentication techniques or mechanisms. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances or situations to ensure they have been defined.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the specific circumstances or situations when individuals accessing an information system employ organization-defined supplemental authentication techniques or mechanisms.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
Adaptive Identification And Authentication |
IA-10 |
IA-10.1 |
Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organizations. To address this threat, organizations may employ specific techniques/mechanisms and establish protocols to assess suspicious behavior (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain preestablished conditions or triggers occur, organizations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed. Related controls: AU-6, SI-4. |
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. |
| CCI-002034 |
The organization defines the supplemental authentication techniques or mechanisms to be employed in specific organization-defined circumstances or situations by individuals accessing the information system. |
The organization conducting the inspection/assessment obtains and examines the documented supplemental authentication techniques or mechanisms to ensure they have been defined.
DoD has determined the supplemental authentication techniques or mechanisms are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the supplemental authentication techniques or mechanisms to be employed in specific organization-defined circumstances or situations by individuals accessing the information system.
DoD has determined the supplemental authentication techniques or mechanisms are not appropriate to define at the Enterprise level. |
Adaptive Identification And Authentication |
IA-10 |
IA-10.2 |
Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organizations. To address this threat, organizations may employ specific techniques/mechanisms and establish protocols to assess suspicious behavior (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain preestablished conditions or triggers occur, organizations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed. Related controls: AU-6, SI-4. |
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. |
| CCI-002035 |
The organization requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations. |
The organization conducting the inspection/assessment reviews the process to ensure the organization being inspected/assessed requires that individuals accessing the information system employ supplemental authentication techniques or mechanisms defined in IA-10, CCI 2034 under specific circumstances or situations defined in IA-10, CCI 2033. |
The organization being inspected/assessed implements a process to require that individuals accessing the information system employ supplemental authentication techniques or mechanisms defined in IA-10, CCI 2034 under specific circumstances or situations defined in IA-10, CCI 2033. |
Adaptive Identification And Authentication |
IA-10 |
IA-10.3 |
Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organizations. To address this threat, organizations may employ specific techniques/mechanisms and establish protocols to assess suspicious behavior (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain preestablished conditions or triggers occur, organizations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed. Related controls: AU-6, SI-4. |
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. |
| CCI-002036 |
The organization defines the circumstances or situations under which users will be required to reauthenticate. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances or situations to ensure they have been defined.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the circumstances or situations when users will be required to reauthenticate.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
Re-Authentication |
IA-11 |
IA-11.1 |
In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically. Related control: AC-11. |
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
| CCI-002037 |
The organization defines the circumstances or situations under which devices will be required to reauthenticate. |
The organization conducting the inspection/assessment obtains and examines the documented circumstances or situations to ensure they have been defined.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents the circumstances or situations when devices will be required to reauthenticate.
DoD has determined the circumstances or situations are not appropriate to define at the Enterprise level. |
Re-Authentication |
IA-11 |
IA-11.2 |
In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically. Related control: AC-11. |
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
| CCI-002038 |
The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication. |
The organization conducting the inspection/assessment reviews the process to ensure the organization being inspected/assessed requires users to reauthenticate when circumstances or situations requiring reauthentication as defined in IA-11, CCI 2036. |
The organization being inspected/assessed implements a process to require users to reauthenticate when circumstances or situations requiring reauthentication as defined in IA-11, CCI 2036. |
Re-Authentication |
IA-11 |
IA-11.3 |
In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically. Related control: AC-11. |
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
| CCI-002039 |
The organization requires devices to reauthenticate upon organization-defined circumstances or situations requiring reauthentication. |
The organization conducting the inspection/assessment reviews the process to ensure the organization being inspected/assessed requires devices to reauthenticate when circumstances or situations requiring reauthentication as defined in IA-11, CCI 2037. |
The organization being inspected/assessed implements a process to require devices to reauthenticate when circumstances or situations requiring reauthentication as defined in IA-11, CCI 2037. |
Re-Authentication |
IA-11 |
IA-11.4 |
In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically. Related control: AC-11. |
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
| CCI-002776 |
The organization defines the personnel or roles to whom the incident response policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-002777 |
The organization defines the personnel or roles to whom the incident response procedures are disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
DoD has defined the roles as all personnel identified as stakeholders in the incident response process, as well as the ISSM and ISSO. |
Incident Response Policy And Procedures |
IR-1 |
IR-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency]. |
| CCI-002778 |
The organization defines the time period in which information system users who assume an incident response role or responsibility receive incident response training. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the time period as 30 working days. |
DoD has defined the time period as 30 working days. |
Incident Response Training |
IR-2 |
IR-2.2 |
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-002779 |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as training records for a sampling of information system users to ensure the organization being inspected/assessed provides incident response training to information system users, other than general users, consistent with assigned roles and responsibilities when required by information system changes.
For general users, DoD components are automatically compliant with the requirement based on DoDD 8570.01 requirements for IA awareness training. |
The organization being inspected/assessed documents and implements a process to provide incident response training to information system users, other than general users, consistent with assigned roles and responsibilities when required by information system changes.
For general users, DoD components are automatically compliant with the requirement based on DoDD 8570.01 requirements for IA awareness training.
The organization must maintain a record of training. |
Incident Response Training |
IR-2 |
IR-2.5 |
Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. |
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter. |
| CCI-002780 |
The organization coordinates incident response testing with organizational elements responsible for related plans. |
The organization conducting the inspection/assessment obtains and examines the incident response testing plan to ensure the organization being inspected/assessed coordinates incident response testing with organizational elements responsible for related plans. |
The organization being inspected/assessed documents within their incident response testing plan, the necessary support from all responsible organizational elements for incident response testing. |
Incident Response Testing | Coordination With Related Plans |
IR-3 (2) |
IR-3(2).1 |
Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. |
The organization coordinates incident response testing with organizational elements responsible for related plans. |
| CCI-002781 |
The organization defines the information system components for dynamic reconfiguration as part of the incident response capability. |
The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines the information system components for dynamic reconfiguration as part of the incident response capability. |
The organization being inspected/assessed defines and documents the information system components for dynamic reconfiguration as part of the incident response capability.
DoD has determined the information system components are not appropriate to define at the Enterprise level. |
Incident Handling | Dynamic Reconfiguration |
IR-4 (2) |
IR-4(2).2 |
Dynamic reconfiguration includes, for example, changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways. Organizations perform dynamic reconfiguration of information systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include time frames for achieving the reconfiguration of information systems in the definition of the reconfiguration capability, considering the potential need for rapid response in order to effectively address sophisticated cyber threats. Related controls: AC-2, AC-4, AC-16, CM-2, CM-3, CM-4. |
The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability. |
| CCI-002782 |
The organization implements an incident handling capability for insider threats. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as a sampling of incident after action reports to ensure the organization being inspected/assessed implements incident handling capability for insider threats. |
The organization being inspected/assessed documents within their incident response plan and implements plans to respond to incidents related to insider threats. |
Incident Handling | Insider Threats - Specific Capabilities |
IR-4 (6) |
IR-4(6).1 |
While many organizations address insider threat incidents as an inherent part of their organizational incident response capability, this control enhancement provides additional emphasis on this type of threat and the need for specific incident handling capabilities (as defined within organizations) to provide appropriate and timely responses. |
The organization implements incident handling capability for insider threats. |
| CCI-002783 |
The organization coordinates an incident handling capability for insider threats across organization-defined components or elements of the organization. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed coordinates incident handling capability for insider threats across components or elements of the organization defined in IR-4 (7), CCI 2784. |
The organization being inspected/assessed documents within their incident response plan, the responsibilities of each element of the organization defined in IR-4 (7), CCI 2784. |
Incident Handling | Insider Threats - Intra-Organization Coordination |
IR-4 (7) |
IR-4(7).1 |
Incident handling for insider threat incidents (including preparation, detection and analysis, containment, eradication, and recovery) requires close coordination among a variety of organizational components or elements to be effective. These components or elements include, for example, mission/business owners, information system owners, human resources offices, procurement offices, personnel/physical security offices, operations personnel, and risk executive (function). In addition, organizations may require external support from federal, state, and local law enforcement agencies. |
The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization]. |
| CCI-002784 |
The organization defines components or elements of the organization across which an incident handling capability for insider threats will be coordinated. |
The organization conducting the inspection/assessment obtains and examines the documented components or elements to ensure the organization being inspected/assessed defines components or elements of the organization in which incident handling capability for insider threats will be coordinated.
DoD has determined the components or elements are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents components or elements of the organization in which incident handling capability for insider threats will be coordinated.
DoD has determined the components or elements are not appropriate to define at the Enterprise level. |
Incident Handling | Insider Threats - Intra-Organization Coordination |
IR-4 (7) |
IR-4(7).2 |
Incident handling for insider threat incidents (including preparation, detection and analysis, containment, eradication, and recovery) requires close coordination among a variety of organizational components or elements to be effective. These components or elements include, for example, mission/business owners, information system owners, human resources offices, procurement offices, personnel/physical security offices, operations personnel, and risk executive (function). In addition, organizations may require external support from federal, state, and local law enforcement agencies. |
The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization]. |
| CCI-002785 |
The organization coordinates with organization-defined external organizations to correlate and share organization-defined incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses. |
The organization conducting the inspection/assessment obtains and examines reports, meeting minutes, or other evidence that the organization being inspected/assessed is coordinating with external organizations defined in IR-4 (8), CCI 2786 to correlate and share incident information defined in IR-4 (8), CCI 2787 to achieve a cross-organization perspective on incident awareness and more effective incident responses. |
The organization being inspected/assessed coordinates with external organizations defined in IR-4 (8), CCI 2786 to correlate and share incident information defined in IR-4 (8), CCI 2787 to achieve a cross-organization perspective on incident awareness and more effective incident responses.
|
Incident Handling | Correlation With External Organizations |
IR-4 (8) |
IR-4(8).1 |
The coordination of incident information with external organizations including, for example, mission/business partners, military/coalition partners, customers, and multitiered developers, can provide significant benefits. Cross-organizational coordination with respect to incident handling can serve as an important risk management capability. This capability allows organizations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organization's operations, assets, and individuals. |
The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a crossorganization perspective on incident awareness and more effective incident responses. |
| CCI-002786 |
The organization defines external organizations with which to correlate and share organization-defined incident information. |
The organization conducting the inspection/assessment obtains and examines the documented external organizations to ensure the organization being inspected/assessed defines external organizations to correlate and share organization-defined incident information.
DoD has determined the external organizations are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents external organizations with whom they will correlate and share organization-defined incident information.
DoD has determined the external organizations are not appropriate to define at the Enterprise level. |
Incident Handling | Correlation With External Organizations |
IR-4 (8) |
IR-4(8).2 |
The coordination of incident information with external organizations including, for example, mission/business partners, military/coalition partners, customers, and multitiered developers, can provide significant benefits. Cross-organizational coordination with respect to incident handling can serve as an important risk management capability. This capability allows organizations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organization's operations, assets, and individuals. |
The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a crossorganization perspective on incident awareness and more effective incident responses. |
| CCI-002787 |
The organization defines incident information to correlate and share with organization-defined external organizations. |
The organization conducting the inspection/assessment obtains and examines the documented incident information to ensure the organization being inspected/assessed defines what incident information will be correlated and shared with each external organization defined in IR-4 (8), CCI 2786.
DoD has determined the incident information is not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents what incident information will be correlated and shared with each external organization defined in IR-4 (8), CCI 2786.
DoD has determined the incident information is not appropriate to define at the Enterprise level. |
Incident Handling | Correlation With External Organizations |
IR-4 (8) |
IR-4(8).3 |
The coordination of incident information with external organizations including, for example, mission/business partners, military/coalition partners, customers, and multitiered developers, can provide significant benefits. Cross-organizational coordination with respect to incident handling can serve as an important risk management capability. This capability allows organizations to leverage critical information from a variety of sources to effectively respond to information security-related incidents potentially affecting the organization's operations, assets, and individuals. |
The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a crossorganization perspective on incident awareness and more effective incident responses. |
| CCI-002788 |
The organization employs organization-defined dynamic response capabilities to effectively respond to security incidents. |
The organization conducting the inspection/assessment obtains and examines incident response logs to ensure that they reflect the use of at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
DoD has defined the dynamic response capabilities as at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
|
The organization being inspected/assessed implements at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT) to effectively respond to security incidents.
DoD has defined the dynamic response capabilities as at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT).
|
Incident Handling | Dynamic Response Capability |
IR-4 (9) |
IR-4(9).1 |
This control enhancement addresses the deployment of replacement or new capabilities in a timely manner in response to security incidents (e.g., adversary actions during hostile cyber attacks). This includes capabilities implemented at the mission/business process level (e.g., activating alternative mission/business processes) and at the information system level. Related control: CP-10. |
The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents. |
| CCI-002789 |
The organization defines dynamic response capabilities to effectively respond to security incidents. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the dynamic response capabilities as at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT). |
DoD has defined the dynamic response capabilities as at a minimum, the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT). |
Incident Handling | Dynamic Response Capability |
IR-4 (9) |
IR-4(9).2 |
This control enhancement addresses the deployment of replacement or new capabilities in a timely manner in response to security incidents (e.g., adversary actions during hostile cyber attacks). This includes capabilities implemented at the mission/business process level (e.g., activating alternative mission/business processes) and at the information system level. Related control: CP-10. |
The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents. |
| CCI-002790 |
The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain. |
The organization conducting the inspection/assesment obtains and examines the documented process to ensure the organization being inspected/assessed coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain. |
The organization being inspected/assessed documents and implements a process to coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain. |
Incident Handling | Supply Chain Coordination |
IR-4 (10) |
IR-4(10).1 |
Organizations involved in supply chain activities include, for example, system/product developers, integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include, for example, compromises/breaches involving information system components, information technology products, development processes or personnel, and distribution processes or warehousing facilities. |
The organization coordinates incident-handling activities involving supply chain events with other organizations involved in the supply chain. |
| CCI-002791 |
The organization defines authorities to whom security incident information is reported. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the authorities as the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT). |
DoD has defined the authorities as the appropriate CIRT/CERT (such as US-CERT, DoD CERT, IC CERT). |
Incident Reporting |
IR-6 |
IR-6.4 |
The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8. |
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and
b. Reports security incident information to [Assignment: organization-defined authorities]. |
| CCI-002792 |
The organization defines personnel or roles to whom information system vulnerabilities associated with reported security incident information are reported. |
The organization conducting the inspection/assessment obtains and examines the documented personnel to ensure the organization being inspected/assessed defines personnel or roles to whom information system vulnerabilities associated with reported security incident information are reported IAW CJCSM 6510.01B. |
The organization being inspected/assessed defines and documents personnel or roles to whom information system vulnerabilities associated with reported security incident information are reported. The personnel shall be identified IAW CJCSM 6510.01B.
DoD has determined the personnel are not appropriate to define at the Enterprise level. |
Incident Reporting | Vulnerabilities Related To Incidents |
IR-6 (2) |
IR-6(2).2 |
|
The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel]. |
| CCI-002793 |
The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident. |
The organization being inspected/assessed documents and implement a process to provide security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident. |
Incident Reporting | Coordination With Supply Chain |
IR-6 (3) |
IR-6(3).1 |
Organizations involved in supply chain activities include, for example, system/product developers, integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents include, for example, compromises/breaches involving information system components, information technology products, development processes or personnel, and distribution processes or warehousing facilities. Organizations determine the appropriate information to share considering the value gained from support by external organizations with the potential for harm due to sensitive information being released to outside organizations of perhaps questionable trustworthiness. |
The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident. |
| CCI-002794 |
The organization develops an incident response plan. |
The organization conducting the inspection/assessment obtains and examines the documented incident response plan to ensure the organization being inspected/assessed develops an incident response plan. |
The organization being inspected/assessed develops and documents an incident response plan. |
Incident Response Plan |
IR-8 |
IR-8.1 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002795 |
The organization^s incident response plan provides the organization with a roadmap for implementing its incident response capability. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed provides within their plan, a roadmap for implementing its incident response capability. |
The organization being inspected/assessed defines and documents within their incident response plan, a roadmap for implementing its incident response capability. |
Incident Response Plan |
IR-8 |
IR-8.2 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002796 |
The organization^s incident response plan describes the structure and organization of the incident response capability. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed describes within their plan, the structure and organization of the incident response capability. |
The organization being inspected/assessed defines and documents within their incident response plan, the structure and organization of the incident response capability. |
Incident Response Plan |
IR-8 |
IR-8.3 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002797 |
The organization^s incident response plan provides a high-level approach for how the incident response capability fits into the overall organization. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed provides within their plan, a high-level approach for how the incident response capability fits into the overall organization. |
The organization being inspected/assessed defines and documents within their incident response plan, a high-level approach for how the incident response capability fits into the overall organization. |
Incident Response Plan |
IR-8 |
IR-8.4 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002798 |
The organization^s incident response plan meets the unique requirements of the organization, which relate to mission, size, structure, and functions. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure it meets the unique requirements of the organization being inspected/assessed, which relate to mission, size, structure, and functions. |
The organization being inspected/assessed will ensure their incident response plan meets the unique requirements of the organization, which relate to mission, size, structure, and functions. |
Incident Response Plan |
IR-8 |
IR-8.5 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002799 |
The organization^s incident response plan defines reportable incidents. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed defines reportable incidents IAW CJCSM 6510.01B Table B-A-2. |
The organization being inspected/assessed defines and document within their incident response plan, reportable incidents IAW CJCSM 6510.01B Table B-A-2. |
Incident Response Plan |
IR-8 |
IR-8.6 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002800 |
The organization^s incident response plan provides metrics for measuring the incident response capability within the organization. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed defines metrics for measuring the incident response capability within the organization IAW CJCSM 6510.01B, Enclosure A. |
The organization being inspected/assessed defines and documents within their incident response plan, metrics for measuring the incident response capability within the organization IAW CJCSM 6510.01B, Enclosure A. |
Incident Response Plan |
IR-8 |
IR-8.7 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002801 |
The organization^s incident response plan defines the resources and management support needed to effectively maintain and mature an incident response capability. |
The organization conducting the inspection/assessment obtains and examines the incident response plan to ensure the organization being inspected/assessed defines within their plan, the resources and management support needed to effectively maintain and mature an incident response capability. |
The organization being inspected/assessed defines and documents within their incident response plan, the resources and management support needed to effectively maintain and mature an incident response capability. |
Incident Response Plan |
IR-8 |
IR-8.8 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002802 |
The organization defines personnel or roles to review and approve the incident response plan. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
DoD has defined the personnel or roles as at a minimum, the ISSM and ISSO. |
Incident Response Plan |
IR-8 |
IR-8.9 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002803 |
The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom incident response plan changes will be communicated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the incident response personnel as all stakeholders identified in the incident response plan, not later than 30 days after the change is made. |
DoD has defined the incident response personnel as all stakeholders identified in the incident response plan, not later than 30 days after the change is made. |
Incident Response Plan |
IR-8 |
IR-8.17 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002804 |
The organization protects the incident response plan from unauthorized disclosure and modification. |
The organization conducting the inspection/assessment obtains and examines artifacts which identify how the incident response plan is protected to ensure the organization being inspected/assessed protects the incident response plan from unauthorized disclosure and modification. |
The organization being inspected/assessed protects the incident response plan from unauthorized disclosure and modification. |
Incident Response Plan |
IR-8 |
IR-8.18 |
It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. |
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification. |
| CCI-002805 |
The organization responds to information spills by identifying the specific information involved in the information system contamination. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that specific information involved in the information system contamination is identified. |
The organization being inspected/assessed documents within their incident response plan, a process to identify the specific information involved in the information system contamination.
|
Information Spillage Response |
IR-9 |
IR-9.1 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002806 |
The organization responds to information spills by alerting organization-defined personnel or roles of the information spill using a method of communication not associated with the spill. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that at a minimum, the OCA, the information owner/originator, the ISSM, the activity security manager, and the responsible computer incident response center were alerted of the information spill using a method of communication not associated with the spill.
DoD has defined the personnel or roles as at a minimum, the OCA, the information owner/originator, the ISSM, the activity security
manager, and the responsible computer incident response center. |
The organization being inspected/assessed documents within their incident response plan, a process to alert at a minimum, the Originating Classification Authority (OCA), the information owner/originator, the ISSM, the activity security manager, and the responsible computer incident response center of the information spill using a method of communication not associated with the spill.
DoD has defined the personnel or roles as at a minimum, the OCA, the information owner/originator, the ISSM, the activity security
manager, and the responsible computer incident response center.
|
Information Spillage Response |
IR-9 |
IR-9.2 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002807 |
The organization defines personnel or roles to be alerted of information spills using a method of communication not associated with the spill. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as at a minimum, the OCA, the information owner/originator, the ISSM, the activity security
manager, and the responsible computer incident response center.
|
DoD has defined the personnel or roles as at a minimum, the OCA, the information owner/originator, the ISSM, the activity security
manager, and the responsible computer incident response center.
|
Information Spillage Response |
IR-9 |
IR-9.3 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002808 |
The organization responds to information spills by isolating the contaminated information system or system component. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that the organization being inspected/assessed isolates contaminated information system or system component.
|
The organization being inspected/assessed documents within their incident response plan, a process to isolate the contaminated information system or system component.
|
Information Spillage Response |
IR-9 |
IR-9.4 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002809 |
The organization responds to information spills by eradicating the information from the contaminated information system or component. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that the organization being inspected/assessed eradicates the information from the contaminated information system or component.
|
The organization being inspected/assessed documents within their incident response plan, a process to eradicate the information from the contaminated information system or component.
|
Information Spillage Response |
IR-9 |
IR-9.5 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002810 |
The organization responds to information spills by identifying other information systems or system components that may have been subsequently contaminated. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that the organization being inspected/assessed identifies other information systems or system components that may have been subsequently contaminated. |
The organization being inspected/assessed documents within their incident response plan, a process to identify other information systems or system components that may have been subsequently contaminated.
|
Information Spillage Response |
IR-9 |
IR-9.6 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002811 |
The organization responds to information spills by performing other organization-defined actions. |
The organization conducting the inspection/assessment obtains and examines the incident response plan as well as after action reports of incidents to ensure that the organization being inspected/assessed performs actions defined in IR-9, CCI 2812. |
The organization being inspected/assessed documents within their incident response plan, processes to perform actions defined in IR-9, CCI 2812.
|
Information Spillage Response |
IR-9 |
IR-9.7 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002812 |
The organization defines other actions required to respond to information spills. |
The organization conducting the inspection/assessment obtains and examines the documented additional actions to ensure the organization being inspected/assessed defines other actions required to respond to information spills.
DoD has determined the actions are not appropriate to define at the Enterprise level |
The organization being inspected/assessed
defines and documents additional actions to be taken in response to spillage incidents. The actions must include the following:
1)consider the information system as classified at the same level as the spilled information until the appropriate remediation processes have been executed and verified;
2) Include the investigative team members and questions identified in CNSS Instruction 1001 in investigation of the incident;
3) Protect information regarding the incident from disclosure.
DoD has determined the actions are not appropriate to define at the Enterprise level.
|
Information Spillage Response |
IR-9 |
IR-9.8 |
Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. |
The organization responds to information spills by:
a. Identifying the specific information causing the information system contamination;
b. Alerting [Assignment: organization-defined personnel] of the information spill using a secure
method of communication;
c. Isolating the contaminated information system;
d. Eradicating the information from the contaminated information system;
e. Identifying other information systems that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions]. |
| CCI-002813 |
The organization assigns organization-defined personnel or roles with responsibility for responding to information spills. |
The organization conducting the inspection/assessment obtains and examines appointment letters to ensure the organization being inspected/assessed appoints personnel or roles defined in IR-9 (1), CCI 2815 as having the responsibility for responding to information spills. |
The organization being inspected/assessed appoints personnel or roles defined in IR-9 (1), CCI 2815 as having the responsibility for responding to information spills. |
Information Spillage Response | Responsible Personnel |
IR-9 (1) |
IR-9(1).1 |
|
The organization identifies [Assignment: organization-defined personnel] with responsibility for responding to information spills. |
| CCI-002814 |
The organization assigns organization-defined personnel or roles with responsibility for responding to information spills. |
|
|
|
|
|
|
|
| CCI-002815 |
The organization defines personnel or roles to whom responsibility for responding to information spills will be assigned. |
The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines personnel or roles to whom responsibility for responding to information spills will be assigned, which must include the ISSO and ISSM.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents personnel or roles to whom responsibility for responding to information spills will be assigned. The personnel must include the ISSO and ISSM.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level. |
Information Spillage Response | Responsible Personnel |
IR-9 (1) |
IR-9(1).2 |
|
The organization identifies [Assignment: organization-defined personnel] with responsibility for responding to information spills. |
| CCI-002816 |
The organization provides information spillage response training according to an organization-defined frequency. |
The organization conducting the inspection/assessment obtains and examines the documented process as well as the training records for a sampling of incident response personnel to ensure the organization being inspected/assessed provides information spillage response training annually.
DoD has defined the frequency as annually. |
The organization being inspected/assessed documents and implements a process to provide information spillage response training annually.
The organization must maintain a record of training.
DoD has defined the frequency as annually. |
Information Spillage Response | Training |
IR-9 (2) |
IR-9(2).1 |
|
The organization provides information spillage response training [Assignment: organizationdefined frequency]. |
| CCI-002817 |
The organization defines the frequency with which to provide information spillage response training. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually. |
DoD has defined the frequency as annually. |
Information Spillage Response | Training |
IR-9 (2) |
IR-9(2).2 |
|
The organization provides information spillage response training [Assignment: organizationdefined frequency]. |
| CCI-002818 |
The organization implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
The organization conducting the inspection/assessment obtains and examines the documented procedures defined in IR-9 (3), CCI 2819 as well as after action reports of incidents to ensure the organization being inspected/assessed implements procedures defined in IR-9 (3), CCI 2819 to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
The organization being inspected/assessed implements procedures defined in IR-9 (3), CCI 2819 to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
Information Spillage Response | Post-Spill Operations |
IR-9 (3) |
IR-9(3).1 |
Correction actions for information systems contaminated due to information spillages may be very time-consuming. During those periods, personnel may not have access to the contaminated systems, which may potentially affect their ability to conduct organizational business. |
The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
| CCI-002819 |
The organization defines procedures to implement to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
The organization conducting the inspection/assessment obtains and examines the documented procedures to ensure the organization being inspected/assessed defines procedures to implement to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
DoD has determined the procedures are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents procedures to implement to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
DoD has determined the procedures are not appropriate to define at the Enterprise level. |
Information Spillage Response | Post-Spill Operations |
IR-9 (3) |
IR-9(3).2 |
Correction actions for information systems contaminated due to information spillages may be very time-consuming. During those periods, personnel may not have access to the contaminated systems, which may potentially affect their ability to conduct organizational business. |
The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
| CCI-002820 |
The organization employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations. |
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed employs security safeguards defined in IR-9 (4), CCI 2821 for personnel exposed to information not within assigned access authorizations. |
The organization being inspected/assessed documents and implements a process to employ security safeguards defined in IR-9 (4), CCI 2821 for personnel exposed to information not within assigned access authorizations. |
Information Spillage Response | Exposure To Unauthorized Personnel |
IR-9 (4) |
IR-9(4).1 |
Security safeguards include, for example, making personnel exposed to spilled information aware of the federal laws, directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information. |
The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations. |
| CCI-002821 |
The organization defines security safeguards to employ for personnel exposed to information not within assigned access authorizations. |
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines security safeguards to employ for personnel exposed to information not within assigned access authorizations.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
The organization being inspected/assessed defines and documents security safeguards to employ for personnel exposed to information not within assigned access authorizations.
DoD has determined the security safeguards are not appropriate to define at the Enterprise level. |
Information Spillage Response | Exposure To Unauthorized Personnel |
IR-9 (4) |
IR-9(4).2 |
Security safeguards include, for example, making personnel exposed to spilled information aware of the federal laws, directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information. |
The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations. |
| CCI-002822 |
The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel. |
The organization conducting the inspection/assessment obtains and examines appointments to the integrated team as well as the documented roles and responsibilities to ensure the organization being inspected/assessed establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel. |
The organization being inspected/assessed establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.
The organization appoints team members and defines and documents roles and responsibilities for each member. |
Integrated Information Security Analysis Team |
IR-10 |
IR-10.1 |
Having an integrated team for incident response facilitates information sharing. Such capability allows organizational personnel, including developers, implementers, and operators, to leverage the team knowledge of the threat in order to implement defensive measures that will enable organizations to deter intrusions more effectively. Moreover, it promotes the rapid detection of intrusions, development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated security analysis team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing intelligence development. This enables the team to identify adversary TTPs that are linked to the operations tempo or to specific missions/business functions, and to define responsive actions in a way that does not disrupt the mission/business operations. Ideally, information security analysis teams are distributed within organizations to make the capability more resilient. |
The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel. |
| CCI-002861 |
The organization defines the personnel or roles to whom a system maintenance policy is disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.1 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-002862 |
The organization defines the personnel or roles to whom system maintenance procedures are to be disseminated. |
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
DoD has defined the personnel or roles as the SCA, ISSO, and maintenance personnel as needed by role in maintaining the system. |
System Maintenance Policy And Procedures |
MA-1 |
MA-1.2 |
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency]. |
| CCI-002863 |
The organization employs automated mechanisms to schedule, conduct, and document repairs. |
The organization conducting the inspection/assessment obtains and examines the documentation of automated mechanisms to ensure the organization being inspected/assessed employs automated mechanisms to schedule, conduct, and document repairs. |
The organization being inspected/assessed documents and implements automated mechanisms to schedule, conduct, and document repairs. |
Controlled Maintenance | Automated Maintenance Activities |
MA-2 (2) |
MA-2(2).1 |
Related controls: CA-7, MA-3. |
The organization:
(a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
(b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. |
| CCI-002864 |
The organization produces up-to date, accurate, and complete records of all maintenance requested, scheduled, in process, and completed. |
The organization conducting the inspection/assessment obtains and examines the records of maintenance to ensure the organization being inspected/assessed produces up-to date, accurate, and complete records of all maintenance requested, scheduled, in process, and completed. |
The organization being inspected/assessed produces and maintains up-to date, accurate, and complete records of all maintenance requested, scheduled, in process, and completed. |
Controlled Maintenance | Automated Maintenance Activities |
MA-2 (2) |
MA-2(2).3 |
Related controls: CA-7, MA-3. |
The organization:
(a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
(b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. |
| CCI-002865 |
The organization produces up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed. |
The organization conducting the inspection/assessment obtains and examines the records of repair actions to ensure the organization being inspected/assessed produces up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed. |
The organization being inspected/assessed produces and maintains up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed. |
Controlled Maintenance | Automated Maintenance Activities |
MA-2 (2) |
MA-2(2).4 |
Related controls: CA-7, MA-3. |
The organization:
(a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
(b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. |
| CCI-002866 |
The organization schedules maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines the record of maintenance to ensure the organization being inspected/assessed schedules maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed schedules maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
The organization must maintain a record of maintenance. |
Controlled Maintenance |
MA-2 |
MA-2.1 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002867 |
The organization performs maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines the record of maintenance procedures followed to ensure the organization being inspected/assessed performs maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed implements a process to perform maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
The organization must maintain a record of maintenance procedures followed. |
Controlled Maintenance |
MA-2 |
MA-2.2 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. |
The organization:
a. Schedules, performs, documents, and reviews records of, maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and /or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel] explicitly approve the removal of the information system or system components from organizational facilities for off-site
maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| CCI-002868 |
The organization documents maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization conducting the inspection/assessment obtains and examines documentation of maintenance to ensure the organization being inspected/assessed documents maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
The organization being inspected/assessed documents maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements. |
Controlled Maintenance |
MA-2 |
MA-2.3 |
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the mainten |
