Common Control Identifier (CCI)


The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control. This ability to trace security requirements from their origin (e.g., regulations, IA frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple IA compliance frameworks. CCI also provides a means to objectively rollup and compare related compliance assessment results across disparate technologies.

CCI Status Type Published Contributor Definition RMF DIACAP
CCI-000001 draft policy 2009-05-13 DISA FSO The organization develops an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000002 draft policy 2009-09-14 DISA FSO The organization disseminates the access control policy to organization-defined personnel or roles.
CCI-000003 draft policy 2009-09-14 DISA FSO The organization reviews and updates the access control policy in accordance with organization-defined frequency.
CCI-000004 draft policy 2009-05-13 DISA FSO The organization develops procedures to facilitate the implementation of the access control policy and associated access controls.
CCI-000005 draft policy 2009-09-14 DISA FSO The organization disseminates the procedures to facilitate access control policy and associated access controls to the organization-defined personnel or roles.
CCI-000006 draft policy 2009-09-14 DISA FSO The organization reviews and updates the access control procedures in accordance with organization-defined frequency.
CCI-000007 draft policy 2009-05-13 DISA FSO The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary).
CCI-000008 draft policy 2009-09-14 DISA FSO The organization establishes conditions for group membership.
CCI-000009 draft policy 2009-05-13 DISA FSO The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges.
CCI-000010 draft policy 2009-05-13 DISA FSO The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts.
CCI-000011 draft policy 2009-05-13 DISA FSO The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions.
CCI-000012 draft policy 2009-09-14 DISA FSO The organization reviews information system accounts for compliance with account management requirements per organization-defined frequency.
CCI-000013 draft policy 2009-09-14 DISA FSO The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes.
CCI-000014 draft policy 2009-09-14 DISA FSO The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions.
CCI-000015 draft technical 2009-05-13 DISA FSO The organization employs automated mechanisms to support the information system account management functions.
CCI-000016 draft technical 2009-05-13 DISA FSO The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account.
CCI-000017 draft technical 2009-05-13 DISA FSO The information system automatically disables inactive accounts after an organization-defined time period.
CCI-000018 draft technical 2009-05-13 DISA FSO The information system automatically audits account creation actions.
CCI-000019 draft policy 2009-09-14 DISA FSO The organization requires that users log out in accordance with the organization-defined time period of inactivity or description of when to log out.
CCI-000020 draft technical 2009-09-14 DISA FSO The information system dynamically manages user privileges and associated access authorizations.
CCI-000021 draft technical 2009-05-13 DISA FSO The information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions.
CCI-000022 draft technical 2009-05-13 DISA FSO The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.
CCI-000023 draft policy 2009-11-03 DISA FSO The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended.
CCI-000024 draft technical 2009-09-14 DISA FSO The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states.
CCI-000025 draft technical 2009-09-14 DISA FSO The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
CCI-000026 draft technical 2009-05-13 DISA FSO The information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions.
CCI-000027 draft technical 2009-05-13 DISA FSO The information system enforces dynamic information flow control based on organization-defined policies.
CCI-000028 draft policy 2009-05-13 DISA FSO The information system prevents encrypted information from bypassing content-checking mechanisms by employing organization-defined procedures or methods.
CCI-000029 draft technical 2009-05-13 DISA FSO The information system enforces organization-defined limitations on the embedding of data types within other data types.
CCI-000030 draft technical 2009-05-13 DISA FSO The information system enforces information flow control based on organization-defined metadata.
CCI-000031 draft technical 2009-05-13 DISA FSO The information system enforces organization-defined one-way flows using hardware mechanisms.
CCI-000032 draft technical 2009-09-14 DISA FSO The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.
CCI-000033 draft policy 2009-05-13 DISA FSO The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision.
CCI-000034 draft technical 2009-05-13 DISA FSO The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions.
CCI-000035 draft technical 2009-09-14 DISA FSO The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.
CCI-000036 draft policy 2009-05-19 DISA FSO The organization separates organization-defined duties of individuals.
CCI-000037 draft technical 2009-09-14 DISA FSO The organization implements separation of duties through assigned information system access authorizations.
CCI-000038 draft policy 2009-05-19 DISA FSO The organization explicitly authorizes access to organization-defined security functions and security-relevant information.
CCI-000039 draft policy 2009-09-14 DISA FSO The organization requires that users of information system accounts or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.
CCI-000040 draft technical 2009-09-14 DISA FSO The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.
CCI-000041 draft policy 2009-05-19 DISA FSO The organization authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs.
CCI-000042 draft policy 2009-05-19 DISA FSO The organization documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system.
CCI-000043 draft policy 2009-05-19 DISA FSO The organization defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period.
CCI-000044 draft technical 2009-09-14 DISA FSO The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
CCI-000045 draft policy 2009-09-14 DISA FSO The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period.
CCI-000046 draft policy 2009-09-14 DISA FSO The organization selects either a lock out mode for the organization-defined time period or delays the next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts.
CCI-000047 draft technical 2009-09-14 DISA FSO The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy.
CCI-000048 draft technical 2009-05-19 DISA FSO The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
CCI-000049 draft policy 2009-05-19 DISA FSO The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording.
CCI-000050 draft technical 2009-09-14 DISA FSO The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system.
CCI-000051 draft policy 2009-05-19 DISA FSO The organization approves the information system use notification message before its use.
CCI-000052 draft technical 2009-09-14 DISA FSO The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
CCI-000053 draft technical 2009-09-14 DISA FSO The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.
CCI-000054 draft technical 2009-05-19 DISA FSO The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.
CCI-000055 draft policy 2009-05-19 DISA FSO The organization defines the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type.
CCI-000056 draft technical 2009-09-14 DISA FSO The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.
CCI-000057 draft technical 2009-05-19 DISA FSO The information system initiates a session lock after the organization-defined time period of inactivity.
CCI-000058 draft technical 2009-05-19 DISA FSO The information system provides the capability for users to directly initiate session lock mechanisms.
CCI-000059 draft policy 2009-09-14 DISA FSO The organization defines the time period of inactivity after which the information system initiates a session lock.
CCI-000060 draft technical 2009-05-19 DISA FSO The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
CCI-000061 draft policy 2009-09-14 DISA FSO The organization identifies and defines organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
CCI-000062 draft policy 2009-05-19 DISA FSO The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives.
CCI-000063 draft policy 2009-09-14 DISA FSO The organization defines allowed methods of remote access to the information system.
CCI-000064 draft policy 2009-05-19 DISA FSO The organization establishes usage restrictions and implementation guidance for each allowed remote access method.
CCI-000065 draft policy 2009-09-14 DISA FSO The organization authorizes remote access to the information system prior to allowing such connections.
CCI-000066 draft technical 2009-09-14 DISA FSO The organization enforces requirements for remote connections to the information system.
CCI-000067 draft technical 2009-09-14 DISA FSO The information system monitors remote access methods.
CCI-000068 draft technical 2009-09-14 DISA FSO The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
CCI-000069 draft policy 2009-05-19 DISA FSO The information system routes all remote accesses through an organization-defined number of managed network access control points.
CCI-000070 draft policy 2009-05-19 DISA FSO The organization authorizes the execution of privileged commands via remote access only for organization-defined needs.
CCI-000071 draft technical 2009-05-19 DISA FSO The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency.
CCI-000072 draft policy 2009-09-25 DISA FSO The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.
CCI-000073 draft policy 2009-11-03 DISA FSO The organization develops an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.
CCI-000074 draft policy 2009-11-03 DISA FSO The organization develops an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.
CCI-000075 draft policy 2009-11-03 DISA FSO The organization reviews the organization-wide information security program plan on an organization-defined frequency.
CCI-000076 draft policy 2009-11-03 DISA FSO The organization defines the frequency with which to review the organization-wide information security program plan.
CCI-000077 draft policy 2009-11-03 DISA FSO The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments.
CCI-000078 draft policy 2009-11-03 DISA FSO The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
CCI-000079 draft policy 2009-09-14 DISA FSO The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ organization-defined additional security measures.
CCI-000080 draft policy 2009-11-03 DISA FSO The organization ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement.
CCI-000081 draft policy 2009-11-03 DISA FSO The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required.
CCI-000082 draft policy 2009-05-19 DISA FSO The organization establishes usage restrictions for organization-controlled mobile devices.
CCI-000083 draft policy 2009-05-19 DISA FSO The organization establishes implementation guidance for organization-controlled mobile devices.
CCI-000084 draft policy 2009-09-14 DISA FSO The organization authorizes connection of mobile devices to organizational information systems.
CCI-000085 draft technical 2009-05-19 DISA FSO The organization monitors for unauthorized connections of mobile devices to organizational information systems.
CCI-000086 draft technical 2009-05-19 DISA FSO The organization enforces requirements for the connection of mobile devices to organizational information systems.
CCI-000087 draft technical 2009-05-19 DISA FSO The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.
CCI-000088 draft policy 2009-09-14 DISA FSO The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.
CCI-000089 draft policy 2009-09-14 DISA FSO The organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.
CCI-000090 draft policy 2009-05-19 DISA FSO The organization restricts the use of writable, removable media in organizational information systems.
CCI-000091 draft policy 2009-05-19 DISA FSO The organization prohibits the use of personally-owned, removable media in organizational information systems.
CCI-000092 draft policy 2009-05-19 DISA FSO The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner.
CCI-000093 draft policy 2009-09-14 DISA FSO The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems.
CCI-000094 draft policy 2009-05-19 DISA FSO The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process organization-controlled information using the external information systems.
CCI-000095 draft policy 2009-05-19 DISA FSO The organization prohibits authorized individuals from using an external information system to access the information system except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan.
CCI-000096 draft policy 2009-05-19 DISA FSO The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization has approved information system connection or processing agreements with the organizational entity hosting the external information system.
CCI-000097 draft policy 2009-09-14 DISA FSO The organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems.
CCI-000098 draft policy 2009-05-19 DISA FSO The organization facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information circumstances where user discretion is required.
CCI-000099 draft policy 2009-05-19 DISA FSO The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
CCI-000100 draft policy 2009-05-20 DISA FSO The organization develops and documents a security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000101 draft policy 2009-05-20 DISA FSO The organization disseminates a security awareness and training policy to organization-defined personnel or roles.
CCI-000102 draft policy 2009-05-20 DISA FSO The organization reviews and updates the current security awareness and training policy in accordance with organization-defined frequency.
CCI-000103 draft policy 2009-05-20 DISA FSO The organization develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.
CCI-000104 draft policy 2009-05-20 DISA FSO The organization disseminates security awareness and training procedures to organization-defined personnel or roles.
CCI-000105 draft policy 2009-05-20 DISA FSO The organization reviews and updates the current security awareness and training procedures in accordance with an organization-defined frequency.
CCI-000106 draft policy 2009-09-14 DISA FSO The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users.
CCI-000107 draft policy 2009-05-20 DISA FSO The organization includes practical exercises in security awareness training that simulate actual cyber attacks.
CCI-000108 draft policy 2009-05-20 DISA FSO The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties.
CCI-000109 draft policy 2009-05-20 DISA FSO The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes.
CCI-000110 draft policy 2009-05-20 DISA FSO The organization provides refresher role-based security training to personnel with assigned security roles and responsibilities in accordance with organization-defined frequency.
CCI-000111 draft policy 2009-05-20 DISA FSO The organization defines a frequency for providing refresher role-based security training.
CCI-000112 draft policy 2009-05-20 DISA FSO The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes.
CCI-000113 draft policy 2009-09-14 DISA FSO The organization documents individual information system security training activities, including basic security awareness training and specific information system security training.
CCI-000114 draft policy 2009-09-14 DISA FSO The organization monitors individual information system security training activities, including basic security awareness training and specific information system security training.
CCI-000115 draft policy 2009-09-14 DISA FSO The organization establishes contact with selected groups and associations within the security community to facilitate ongoing security education and training; to stay up to date with the latest recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents.
CCI-000116 draft policy 2009-09-14 DISA FSO The organization institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training; to stay up to date with the latest recommended security practices, techniques, and technologies; and to share current security-related information including threats, vulnerabilities, and incidents.
CCI-000117 draft policy 2009-05-20 DISA FSO The organization develops and documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000118 draft policy 2009-05-20 DISA FSO The organization disseminates a formal, documented, audit and accountability policy to elements within the organization having associated audit and accountability roles and responsibilities.
CCI-000119 draft policy 2009-05-20 DISA FSO The organization reviews and updates the audit and accountability policy on an organization-defined frequency.
CCI-000120 draft policy 2009-05-20 DISA FSO The organization develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
CCI-000121 draft policy 2009-05-20 DISA FSO The organization disseminates formal, documented, procedures to elements within the organization having associated audit and accountability roles and responsibilities.
CCI-000122 draft policy 2009-05-20 DISA FSO The organization reviews and updates the audit and accountability procedures on an organization-defined frequency.
CCI-000123 draft policy 2009-09-15 DISA FSO The organization determines the information system must be capable of auditing an organization-defined list of auditable events.
CCI-000124 draft policy 2009-09-15 DISA FSO The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events.
CCI-000125 draft policy 2009-09-15 DISA FSO The organization provides a rationale for why the list of auditable events is deemed to be adequate to support after-the-fact investigations of security incidents.
CCI-000126 draft policy 2009-09-15 DISA FSO The organization determines that the organization-defined subset of the auditable events defined in AU-2 are to be audited within the information system.
CCI-000127 draft policy 2009-05-20 DISA FSO The organization reviews and updates the list of organization-defined audited events on an organization-defined frequency.
CCI-000128 draft policy 2009-05-20 DISA FSO The organization includes execution of privileged functions in the list of events to be audited by the information system.
CCI-000129 draft policy 2009-09-15 DISA FSO The organization defines in the auditable events that the information system must be capable of auditing based on a risk assessment and mission/business needs.
CCI-000130 draft technical 2009-05-20 DISA FSO The information system generates audit records containing information that establishes what type of event occurred.
CCI-000131 draft technical 2009-05-20 DISA FSO The information system generates audit records containing information that establishes when an event occurred.
CCI-000132 draft technical 2009-05-20 DISA FSO The information system generates audit records containing information that establishes where the event occurred.
CCI-000133 draft technical 2009-05-20 DISA FSO The information system generates audit records containing information that establishes the source of the event.
CCI-000134 draft technical 2009-05-20 DISA FSO The information system generates audit records containing information that establishes the outcome of the event.
CCI-000135 draft technical 2009-05-20 DISA FSO The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
CCI-000136 draft technical 2009-05-20 DISA FSO The organization centrally manages the content of audit records generated by organization-defined information system components.
CCI-000137 draft policy 2009-05-20 DISA FSO The organization allocates audit record storage capacity.
CCI-000138 draft technical 2009-05-20 DISA FSO The organization configures auditing to reduce the likelihood of storage capacity being exceeded.
CCI-000139 draft technical 2009-09-15 DISA FSO The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.
CCI-000140 draft technical 2009-05-20 DISA FSO The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
CCI-000141 draft policy 2009-11-03 DISA FSO The organization ensures that information security resources are available for expenditure as planned.
CCI-000142 draft policy 2009-11-03 DISA FSO The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained.
CCI-000143 draft technical 2009-05-20 DISA FSO The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
CCI-000144 draft technical 2009-05-20 DISA FSO The information system provides a real-time alert when organization-defined audit failure events occur.
CCI-000145 draft policy 2009-05-20 DISA FSO The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity by delaying or rejecting network traffic which exceeds the organization-defined thresholds.
CCI-000146 draft policy 2009-05-20 DISA FSO The organization defines the percentage of maximum audit record storage capacity that when exceeded, a warning is provided.
CCI-000147 draft policy 2009-05-22 DISA FSO The organization defines the audit failure events requiring real-time alerts.
CCI-000148 draft policy 2009-05-22 DISA FSO The organization reviews and analyzes information system audit records on an organization-defined frequency for indications of organization-defined inappropriate or unusual activity.
CCI-000149 draft policy 2009-05-22 DISA FSO The organization reports any findings to organization-defined personnel or roles for indications of organization-defined inappropriate or unusual activity.
CCI-000150 draft policy 2009-09-15 DISA FSO The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.
CCI-000151 draft policy 2009-09-15 DISA FSO The organization defines the frequency for the review and analysis of information system audit records for organization-defined inappropriate or unusual activity.
CCI-000152 draft technical 2009-05-22 DISA FSO The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
CCI-000153 draft policy 2009-05-22 DISA FSO The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
CCI-000154 draft technical 2009-05-22 DISA FSO The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
CCI-000155 draft policy 2009-09-15 DISA FSO The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, and network monitoring information to further enhance the ability to identify inappropriate or unusual activity.
CCI-000156 draft technical 2009-05-22 DISA FSO The information system provides an audit reduction capability.
CCI-000157 draft technical 2009-05-22 DISA FSO The information system provides a report generation capability.
CCI-000158 draft technical 2009-05-22 DISA FSO The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records.
CCI-000159 draft technical 2009-05-22 DISA FSO The information system uses internal system clocks to generate time stamps for audit records.
CCI-000160 draft technical 2009-05-22 DISA FSO The information system synchronizes internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.
CCI-000161 draft policy 2009-05-22 DISA FSO The organization defines the frequency for the synchronization of internal information system clocks.
CCI-000162 draft technical 2009-05-22 DISA FSO The information system protects audit information from unauthorized access.
CCI-000163 draft technical 2009-05-22 DISA FSO The information system protects audit information from unauthorized modification.
CCI-000164 draft technical 2009-05-22 DISA FSO The information system protects audit information from unauthorized deletion.
CCI-000165 draft policy 2009-05-22 DISA FSO The information system writes audit records to hardware-enforced, write-once media.
CCI-000166 draft technical 2009-05-22 DISA FSO The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
CCI-000167 draft policy 2009-05-22 DISA FSO The organization retains audit records for an organization-defined time period to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
CCI-000168 draft policy 2009-09-15 DISA FSO The organization defines the time period for retention of audit records, which is consistent with its records retention policy, to provide support for after-the-fact investigations of security incidents and meet regulatory and organizational information retention requirements.
CCI-000169 draft technical 2009-05-22 DISA FSO The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
CCI-000170 draft policy 2009-11-03 DISA FSO The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation.
CCI-000171 draft technical 2009-09-15 DISA FSO The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.
CCI-000172 draft technical 2009-09-15 DISA FSO The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
CCI-000173 draft policy 2009-09-15 DISA FSO The organization defines the level of tolerance for relationship between time stamps of individual records in the audit trail that will be used for correlation.
CCI-000174 draft technical 2009-05-22 DISA FSO The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail.
CCI-000175 draft policy 2009-05-22 DISA FSO The organization manages information system authenticators for users and devices by verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator.
CCI-000176 draft policy 2009-05-22 DISA FSO The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization.
CCI-000177 draft policy 2009-05-22 DISA FSO The organization manages information system authenticators for users and devices by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators.
CCI-000178 draft policy 2009-05-22 DISA FSO The organization manages information system authenticators for users and devices by changing default content of authenticators upon information system installation.
CCI-000179 draft policy 2009-05-22 DISA FSO The organization manages information system authenticators by establishing minimum lifetime restrictions for authenticators.
CCI-000180 draft policy 2009-05-22 DISA FSO The organization manages information system authenticators by establishing maximum lifetime restrictions for authenticators.
CCI-000181 draft policy 2009-05-22 DISA FSO The organization manages information system authenticators by establishing reuse conditions for authenticators.
CCI-000182 draft policy 2009-05-22 DISA FSO The organization manages information system authenticators by changing/refreshing authenticators in accordance with the organization-defined time period by authenticator type.
CCI-000183 draft policy 2009-05-22 DISA FSO The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure.
CCI-000184 draft policy 2009-05-22 DISA FSO The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators.
CCI-000185 draft technical 2009-09-15 DISA FSO The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.
CCI-000186 draft technical 2009-09-15 DISA FSO The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.
CCI-000187 draft technical 2009-09-15 DISA FSO The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group.
CCI-000188 draft policy 2009-09-15 DISA FSO The organization requires that the registration process to receive an organizational-defined type of authenticator be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).
CCI-000189 draft policy 2009-09-15 DISA FSO The organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwise compromise the authenticators.
CCI-000190 draft policy 2009-09-15 DISA FSO The organization requires vendors/manufacturers of information system components to provide unique authenticators or change default authenticators prior to delivery.
CCI-000191 deprecated policy 2009-09-15 DISA FSO The organization enforces password complexity by the number of special characters used.
CCI-000192 draft technical 2009-09-15 DISA FSO The information system enforces password complexity by the minimum number of upper case characters used.
CCI-000193 draft technical 2009-09-15 DISA FSO The information system enforces password complexity by the minimum number of lower case characters used.
CCI-000194 draft technical 2009-09-15 DISA FSO The information system enforces password complexity by the minimum number of numeric characters used.
CCI-000195 draft technical 2009-09-15 DISA FSO The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.
CCI-000196 draft technical 2009-09-15 DISA FSO The information system, for password-based authentication, stores only cryptographically-protected passwords.
CCI-000197 draft technical 2009-09-15 DISA FSO The information system, for password-based authentication, transmits only cryptographically-protected passwords.
CCI-000198 draft technical 2009-09-15 DISA FSO The information system enforces minimum password lifetime restrictions.
CCI-000199 draft technical 2009-09-15 DISA FSO The information system enforces maximum password lifetime restrictions.
CCI-000200 draft technical 2009-05-22 DISA FSO The information system prohibits password reuse for the organization-defined number of generations.
CCI-000201 draft policy 2009-05-22 DISA FSO The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.
CCI-000202 draft policy 2009-05-22 DISA FSO The organization ensures unencrypted static authenticators are not embedded in access scripts.
CCI-000203 draft policy 2009-05-22 DISA FSO The organization ensures unencrypted static authenticators are not stored on function keys.
CCI-000204 draft policy 2009-05-22 DISA FSO The organization defines the security safeguards required to manage the risk of compromise due to individuals having accounts on multiple information systems.
CCI-000205 draft technical 2009-05-22 DISA FSO The information system enforces minimum password length.
CCI-000206 draft technical 2009-05-22 DISA FSO The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
CCI-000207 draft policy 2009-11-03 DISA FSO The organization develops and maintains an inventory of its information systems.
CCI-000208 draft policy 2009-09-14 DISA FSO The organization determines normal time-of-day and duration usage for information system accounts.
CCI-000209 draft policy 2009-11-03 DISA FSO The organization develops the results of information security measures of performance.
CCI-000210 draft policy 2009-11-03 DISA FSO The organization monitors the results of information security measures of performance.
CCI-000211 draft policy 2009-11-03 DISA FSO The organization reports on the results of information security measures of performance.
CCI-000212 draft policy 2009-11-03 DISA FSO The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
CCI-000213 draft technical 2009-09-14 DISA FSO The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
CCI-000214 draft policy 2009-09-14 DISA FSO The organization establishes a Discretionary Access Control (DAC) policy that limits propagation of access rights.
CCI-000215 draft policy 2009-09-14 DISA FSO The organization establishes a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.
CCI-000216 draft policy 2009-11-03 DISA FSO The organization develops and documents a critical infrastructure and key resource protection plan that addresses information security issues.
CCI-000217 draft policy 2009-09-24 DISA FSO The organization defines a time period after which inactive accounts are automatically disabled.
CCI-000218 draft technical 2009-09-14 DISA FSO The information system, when transferring information between different security domains, identifies information flows by data type specification and usage.
CCI-000219 draft technical 2009-09-14 DISA FSO The information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms.
CCI-000221 draft technical 2009-09-14 DISA FSO The information system enforces security policies regarding information on interconnected systems.
CCI-000223 draft technical 2009-09-14 DISA FSO The information system binds security attributes to information to facilitate information flow policy enforcement.
CCI-000224 draft technical 2009-09-14 DISA FSO The information system tracks problems associated with the security attribute binding.
CCI-000225 draft policy 2009-09-14 DISA FSO The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
CCI-000226 draft technical 2009-09-14 DISA FSO The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.
CCI-000227 draft policy 2009-11-03 DISA FSO The organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems.
CCI-000228 draft policy 2009-11-03 DISA FSO The organization implements a comprehensive strategy to manage risk to organization operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems consistently across the organization.
CCI-000229 draft policy 2009-11-03 DISA FSO The organization documents the security state of organizational information systems and the environments in which those systems operate through security authorization processes.
CCI-000230 draft policy 2009-11-03 DISA FSO The organization tracks the security state of organizational information systems and the environments in which those systems operate through security authorization processes.
CCI-000231 draft policy 2009-11-03 DISA FSO The organization reports the security state of organizational information systems and the environments in which those systems operate through security authorization processes.
CCI-000232 draft policy 2009-09-14 DISA FSO The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.
CCI-000233 draft policy 2009-11-03 DISA FSO The organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process.
CCI-000234 draft policy 2009-11-03 DISA FSO The organization fully integrates the security authorization processes into an organization-wide risk management program.
CCI-000235 draft policy 2009-11-04 DISA FSO The organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
CCI-000236 draft policy 2009-11-04 DISA FSO The organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs are obtained.
CCI-000237 draft policy 2009-06-23 DISA FSO The organization manages information system accounts by specifically authorizing and monitoring the use of guest/anonymous accounts and temporary accounts.
CCI-000238 draft policy 2009-09-15 DISA FSO The organization defines the frequency to review and update the current security assessment and authorization policy.
CCI-000239 draft policy 2009-09-15 DISA FSO The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000240 draft policy 2009-09-15 DISA FSO The organization disseminates to organization-defined personnel or roles a security assessment and authorization policy.
CCI-000241 draft policy 2009-09-15 DISA FSO The organization reviews and updates the current security assessment and authorization policy in accordance with organization-defined frequency.
CCI-000242 draft policy 2009-09-15 DISA FSO The organization develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls.
CCI-000243 draft policy 2009-09-15 DISA FSO The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls.
CCI-000244 draft policy 2009-09-15 DISA FSO The organization reviews and updates the current security assessment and authorization procedures in accordance with organization-defined frequency.
CCI-000245 draft policy 2009-09-15 DISA FSO The organization develops a security assessment plan for the information system and its environment of operation.
CCI-000246 draft policy 2009-09-15 DISA FSO The organization's security assessment plan describes the security controls and control enhancements under assessment.
CCI-000247 draft policy 2009-09-15 DISA FSO The organization's security assessment plan describes assessment procedures to be used to determine security control effectiveness.
CCI-000248 draft policy 2009-09-15 DISA FSO The organization's security assessment plan describes assessment environment.
CCI-000249 draft policy 2009-09-15 DISA FSO The organizations security assessment plan describes the assessment team.
CCI-000250 draft policy 2009-09-15 DISA FSO The organization's security assessment plan describes assessment roles and responsibilities.
CCI-000251 draft policy 2009-09-15 DISA FSO The organization assesses, on an organization-defined frequency, the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements.
CCI-000252 draft policy 2009-09-15 DISA FSO The organization defines the frequency on which the security controls in the information system and its environment of operation are assessed.
CCI-000253 draft policy 2009-09-15 DISA FSO The organization produces a security assessment report that documents the results of the assessment against the information system and its environment of operation.
CCI-000254 draft policy 2009-09-15 DISA FSO The organization provides the results of the security control assessment against the information system and its environment of operation to organization-defined individuals or roles.
CCI-000255 draft policy 2009-09-15 DISA FSO The organization employs assessors or assessment teams with an organization-defined level of independence to conduct security control assessments of organizational information systems.
CCI-000256 draft policy 2009-09-15 DISA FSO The organization includes, as part of security control assessments announced or unannounced, one or more of the following: in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; and organization-defined other forms of security assessment on an organization-defined frequency.
CCI-000257 draft policy 2009-09-15 DISA FSO The organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements.
CCI-000258 draft policy 2009-09-15 DISA FSO The organization documents, for each interconnection, the interface characteristics.
CCI-000259 draft policy 2009-09-15 DISA FSO The organization documents, for each interconnection, the security requirements.
CCI-000260 draft policy 2009-09-15 DISA FSO The organization documents, for each interconnection, the nature of the information communicated.
CCI-000261 draft policy 2009-09-15 DISA FSO The organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements.
CCI-000262 draft policy 2009-09-15 DISA FSO The organization prohibits the direct connection of an organization-defined unclassified, national security system to an external network without the use of an organization-defined boundary protection device.
CCI-000263 draft policy 2009-09-15 DISA FSO The organization prohibits the direct connection of a classified, national security system to an external network without the use of organization-defined boundary protection device.
CCI-000264 draft policy 2009-09-15 DISA FSO The organization develops a plan of action and milestones for the information system to document the organization^s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.
CCI-000265 draft policy 2009-09-15 DISA FSO The organization defines the frequency with which to update the existing plan of action and milestones for the information system.
CCI-000266 draft policy 2009-09-15 DISA FSO The organization updates, on an organization-defined frequency, the existing plan of action and milestones for the information system based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
CCI-000267 draft policy 2009-09-15 DISA FSO The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is accurate.
CCI-000268 draft policy 2009-09-15 DISA FSO The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is up to date.
CCI-000269 draft policy 2009-09-15 DISA FSO The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is readily available.
CCI-000270 draft policy 2009-09-15 DISA FSO The organization assigns a senior-level executive or manager as the authorizing official for the information system.
CCI-000271 draft policy 2009-09-15 DISA FSO The organization ensures the authorizing official authorizes the information system for processing before commencing operations.
CCI-000272 draft policy 2009-09-15 DISA FSO The organization updates the security authorization on an organization-defined frequency.
CCI-000273 draft policy 2009-09-15 DISA FSO The organization defines the frequency with which to update the security authorization.
CCI-000274 draft policy 2009-09-15 DISA FSO The organization develops a continuous monitoring strategy.
CCI-000275 draft policy 2009-09-15 DISA FSO The organization implements a continuous monitoring program that includes a configuration management process for the information system.
CCI-000276 draft policy 2009-09-15 DISA FSO The organization implements a continuous monitoring program that includes a configuration management process for the information system constituent components.
CCI-000277 draft policy 2009-09-15 DISA FSO The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the information system.
CCI-000278 draft policy 2009-09-15 DISA FSO The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the environment of operation.
CCI-000279 draft policy 2009-09-15 DISA FSO The organization implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.
CCI-000280 draft policy 2009-09-15 DISA FSO The organization implements a continuous monitoring program that includes reporting the security status of the organization and the information system to organization-defined personnel or roles on an organization-defined frequency.
CCI-000281 draft policy 2009-09-15 DISA FSO The organization defines the frequency with which to report the security status of the organization and the information system to organization-defined personnel or roles.
CCI-000282 draft policy 2009-09-15 DISA FSO The organization employs assessors or assessment teams with an organization-defined level of independence to monitor the security controls in the information system on an ongoing basis.
CCI-000283 draft policy 2009-09-15 DISA FSO The organization plans announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.
CCI-000284 draft policy 2009-09-15 DISA FSO The organization schedules announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.
CCI-000285 draft policy 2009-09-15 DISA FSO The organization conducts announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.
CCI-000286 draft policy 2009-09-17 DISA FSO The organization defines a frequency with which to review and update the configuration management policies.
CCI-000287 draft policy 2009-09-17 DISA FSO The organization develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000288 draft policy 2009-09-17 DISA FSO The organization disseminates formal, documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities.
CCI-000289 draft policy 2009-09-17 DISA FSO The organization reviews and updates, on an organization-defined frequency, the configuration management policy.
CCI-000290 draft policy 2009-09-17 DISA FSO The organization develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
CCI-000291 draft policy 2009-09-17 DISA FSO The organization disseminates formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
CCI-000292 draft policy 2009-09-17 DISA FSO The organization reviews and updates, on an organization-defined frequency, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
CCI-000293 draft policy 2009-09-17 DISA FSO The organization develops a current baseline configuration of the information system.
CCI-000294 draft policy 2009-09-17 DISA FSO The organization documents a baseline configuration of the information system.
CCI-000295 draft policy 2009-09-17 DISA FSO The organization maintains, under configuration control, a current baseline configuration of the information system.
CCI-000296 draft policy 2009-09-17 DISA FSO The organization reviews and updates the baseline configuration of the information system at an organization-defined frequency.
CCI-000297 draft policy 2009-09-17 DISA FSO The organization reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances.
CCI-000298 draft policy 2009-09-17 DISA FSO The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations.
CCI-000299 draft policy 2009-09-17 DISA FSO The organization reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades.
CCI-000300 draft policy 2009-09-17 DISA FSO The organization employs automated mechanisms to maintain a complete baseline configuration of the information system.
CCI-000301 draft policy 2009-09-17 DISA FSO The organization employs automated mechanisms to maintain an up-to-date baseline configuration of the information system.
CCI-000302 draft policy 2009-09-17 DISA FSO The organization employs automated mechanisms to maintain an accurate baseline configuration of the information system.
CCI-000303 draft policy 2009-09-17 DISA FSO The organization employs automated mechanisms to maintain a readily available baseline configuration of the information system.
CCI-000304 draft policy 2009-09-17 DISA FSO The organization retains organization-defined previous versions of baseline configurations of the information system to support rollback.
CCI-000305 draft policy 2009-09-17 DISA FSO The organization develops a list of software programs not authorized to execute on the information system.
CCI-000306 draft policy 2009-09-17 DISA FSO The organization maintains the list of software programs not authorized to execute on the information system.
CCI-000307 draft policy 2009-09-17 DISA FSO The organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system.
CCI-000308 draft policy 2009-09-17 DISA FSO The organization develops the list of software programs authorized to execute on the information system.
CCI-000309 draft policy 2009-09-17 DISA FSO The organization maintains the list of software programs authorized to execute on the information system.
CCI-000310 draft policy 2009-09-17 DISA FSO The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.
CCI-000311 draft policy 2009-09-17 DISA FSO The organization maintains a baseline configuration for information system development environments that is managed separately from the operational baseline configuration.
CCI-000312 draft policy 2009-09-17 DISA FSO The organization maintains a baseline configuration for information system test environments that is managed separately from the operational baseline configuration.
CCI-000313 draft policy 2009-09-17 DISA FSO The organization determines the types of changes to the information system that are configuration controlled.
CCI-000314 draft policy 2009-09-17 DISA FSO The organization approves or disapproves configuration-controlled changes to the information system, with explicit consideration for security impact analysis.
CCI-000315 draft policy 2009-09-17 DISA FSO The organization documents approved configuration-controlled changes to the system.
CCI-000316 draft policy 2009-09-17 DISA FSO The organization retains records of configuration-controlled changes to the information system for an organization-defined time period.
CCI-000317 draft policy 2009-09-17 DISA FSO The organization reviews records of configuration-controlled changes to the system.
CCI-000318 draft policy 2009-09-17 DISA FSO The organization audits and reviews activities associated with configuration-controlled changes to the system.
CCI-000319 draft policy 2009-09-17 DISA FSO The organization coordinates and provides oversight for configuration change control activities through an organization-defined configuration change control element (e.g., committee, board) that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions.
CCI-000320 draft policy 2009-09-17 DISA FSO The organization defines the frequency with which to convene the configuration change control element.
CCI-000321 draft policy 2009-09-17 DISA FSO The organization defines configuration change conditions that prompt the configuration change control element to convene.
CCI-000322 draft policy 2009-09-17 DISA FSO The organization employs automated mechanisms to document proposed changes to the information system.
CCI-000323 draft policy 2009-09-17 DISA FSO The organization employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval.
CCI-000324 draft policy 2009-09-17 DISA FSO The organization employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by an organization-defined time period.
CCI-000325 draft policy 2009-09-17 DISA FSO The organization employs automated mechanisms to prohibit changes to the information system until designated approvals are received.
CCI-000326 draft policy 2009-09-17 DISA FSO The organization employs automated mechanisms to document all changes to the information system.
CCI-000327 draft policy 2009-09-17 DISA FSO The organization tests changes to the information system before implementing the changes on the operational system.
CCI-000328 draft policy 2009-09-17 DISA FSO The organization validates changes to the information system before implementing the changes on the operational system.
CCI-000329 draft policy 2009-09-17 DISA FSO The organization documents changes to the information system before implementing the changes on the operational system.
CCI-000330 draft policy 2009-09-17 DISA FSO The organization employs automated mechanisms to implement changes to the current information system baseline.
CCI-000331 draft policy 2009-09-17 DISA FSO The organization deploys the updated information system baseline across the installed base.
CCI-000332 draft policy 2009-09-17 DISA FSO The organization requires an information security representative to be a member of the organization-defined configuration change control element.
CCI-000333 draft policy 2009-09-18 DISA FSO The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
CCI-000334 draft policy 2009-09-18 DISA FSO The organization analyzes new software in a separate test environment before installation in an operational environment.
CCI-000335 draft policy 2009-09-18 DISA FSO The organization, after the information system is changed, checks the security functions to verify the functions are implemented correctly.
CCI-000336 draft policy 2009-09-18 DISA FSO The organization, after the information system is changed, checks the security functions to verify the functions are operating as intended.
CCI-000337 draft policy 2009-09-18 DISA FSO The organization, after the information system is changed, checks the security functions to verify the functions are producing the desired outcome with regard to meeting the security requirements for the system.
CCI-000338 draft policy 2009-09-18 DISA FSO The organization defines physical access restrictions associated with changes to the information system.
CCI-000339 draft policy 2009-09-18 DISA FSO The organization documents physical access restrictions associated with changes to the information system.
CCI-000340 draft policy 2009-09-18 DISA FSO The organization approves physical access restrictions associated with changes to the information system.
CCI-000341 draft policy 2009-09-18 DISA FSO The organization enforces physical access restrictions associated with changes to the information system.
CCI-000342 draft policy 2009-09-18 DISA FSO The organization defines logical access restrictions associated with changes to the information system.
CCI-000343 draft policy 2009-09-18 DISA FSO The organization documents logical access restrictions associated with changes to the information system.
CCI-000344 draft policy 2009-09-18 DISA FSO The organization approves logical access restrictions associated with changes to the information system.
CCI-000345 draft policy 2009-09-18 DISA FSO The organization enforces logical access restrictions associated with changes to the information system.
CCI-000346 draft technical 2009-09-18 DISA FSO The organization employs automated mechanisms to enforce access restrictions.
CCI-000347 draft technical 2009-09-18 DISA FSO The organization employs automated mechanisms to support auditing of the enforcement actions.
CCI-000348 draft policy 2009-09-18 DISA FSO The organization defines a frequency with which to conduct reviews of information system changes.
CCI-000349 draft policy 2009-09-18 DISA FSO The organization reviews information system changes per organization-defined frequency to determine whether unauthorized changes have occurred.
CCI-000350 draft policy 2009-09-18 DISA FSO The organization reviews information system changes upon organization-defined circumstances to determine whether unauthorized changes have occurred.
CCI-000351 draft policy 2009-09-18 DISA FSO The organization defines critical software programs that the information system will prevent from being installed if such software programs are not signed with a recognized and approved certificate.
CCI-000352 draft technical 2009-09-18 DISA FSO The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization.
CCI-000353 draft policy 2009-09-18 DISA FSO The organization defines information system components requiring enforcement of a dual authorization for information system changes.
CCI-000354 draft policy 2009-09-18 DISA FSO The organization enforces dual authorization for changes to organization-defined information system components.
CCI-000355 draft policy 2009-09-18 DISA FSO The organization limits information system developer/integrator privileges to change hardware components directly within a production environment.
CCI-000356 draft policy 2009-09-18 DISA FSO The organization limits information system developer/integrator privileges to change software components directly within a production environment.
CCI-000357 draft policy 2009-09-18 DISA FSO The organization limits information system developer/integrator privileges to change firmware components directly within a production environment.
CCI-000358 draft policy 2009-09-18 DISA FSO The organization limits information system developer/integrator privileges to change system information directly within a production environment.
CCI-000359 draft policy 2009-09-18 DISA FSO The organization defines the frequency to review information system developer/integrator privileges.
CCI-000360 draft policy 2009-09-18 DISA FSO The organization defines the frequency to reevaluate information system developer/integrator privileges.
CCI-000361 draft policy 2009-09-18 DISA FSO The organization reviews information system developer/integrator privileges per organization-defined frequency.
CCI-000362 draft policy 2009-09-18 DISA FSO The organization reevaluates information system developer/integrator privileges per organization-defined frequency.
CCI-000363 draft policy 2009-09-18 DISA FSO The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed.
CCI-000364 draft policy 2009-09-18 DISA FSO The organization establishes configuration settings for information technology products employed within the information system using organization-defined security configuration checklists.
CCI-000365 draft policy 2009-09-18 DISA FSO The organization documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements.
CCI-000366 draft policy 2009-09-18 DISA FSO The organization implements the security configuration settings.
CCI-000367 draft policy 2009-09-18 DISA FSO The organization identifies any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
CCI-000368 draft policy 2009-09-18 DISA FSO The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
CCI-000369 draft policy 2009-09-18 DISA FSO The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
CCI-000370 draft policy 2009-09-18 DISA FSO The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.
CCI-000371 draft policy 2009-09-18 DISA FSO The organization employs automated mechanisms to centrally apply configuration settings for organization-defined information system components.
CCI-000372 draft policy 2009-09-18 DISA FSO The organization employs automated mechanisms to centrally verify configuration settings for organization-defined information system components.
CCI-000373 draft policy 2009-09-18 DISA FSO The organization defines configuration settings for which unauthorized changes are responded to by automated mechanisms.
CCI-000374 draft technical 2009-09-18 DISA FSO The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.
CCI-000375 draft policy 2009-09-18 DISA FSO The organization incorporates detection of unauthorized, security-relevant configuration changes into the organizations incident response capability.
CCI-000376 draft policy 2009-09-18 DISA FSO The organization ensures unauthorized, security-relevant configuration changes detected are monitored.
CCI-000377 draft policy 2009-09-18 DISA FSO The organization ensures unauthorized, security-relevant configuration changes detected are corrected.
CCI-000378 draft policy 2009-09-18 DISA FSO The organization ensures unauthorized, security-relevant configuration changes detected are available for historical purposes.
CCI-000379 draft policy 2009-09-18 DISA FSO The information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists) prior to being introduced into a production environment.
CCI-000380 draft policy 2009-09-18 DISA FSO The organization defines prohibited or restricted functions, ports, protocols, and/or services for the information system.
CCI-000381 draft technical 2009-09-18 DISA FSO The organization configures the information system to provide only essential capabilities.
CCI-000382 draft technical 2009-09-18 DISA FSO The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
CCI-000383 draft policy 2009-09-18 DISA FSO The organization defines the frequency of information system reviews to identify and eliminate unnecessary functions, ports, protocols and/or services.
CCI-000384 draft policy 2009-09-18 DISA FSO The organization reviews the information system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, and services.
CCI-000385 draft policy 2009-09-18 DISA FSO The organization reviews the information system per organization-defined frequency to eliminate unnecessary functions, ports, protocols, and/or services.
CCI-000386 draft technical 2009-09-18 DISA FSO The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization-defined specifications.
CCI-000387 draft policy 2009-09-18 DISA FSO The organization defines registration requirements for functions, ports, protocols, and services.
CCI-000388 draft policy 2009-09-18 DISA FSO The organization ensures compliance with organization-defined registration requirements for functions, ports, protocols, and services.
CCI-000389 draft policy 2009-09-18 DISA FSO The organization develops an inventory of information system components that accurately reflects the current information system.
CCI-000390 draft policy 2009-09-18 DISA FSO The organization documents an inventory of information system components that accurately reflects the current information system.
CCI-000391 draft policy 2009-09-18 DISA FSO The organization maintains an inventory of information system components that accurately reflects the current information system.
CCI-000392 draft policy 2009-09-18 DISA FSO The organization develops an inventory of information system components that includes all components within the authorization boundary of the information system.
CCI-000393 draft policy 2009-09-18 DISA FSO The organization documents an inventory of information system components that includes all components within the authorization boundary of the information system.
CCI-000394 draft policy 2009-09-18 DISA FSO The organization maintains an inventory of information system components that is consistent with the authorization boundary of the information system.
CCI-000395 draft policy 2009-09-18 DISA FSO The organization develops an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.
CCI-000396 draft policy 2009-09-18 DISA FSO The organization documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.
CCI-000397 draft policy 2009-09-18 DISA FSO The organization maintains an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.
CCI-000398 draft policy 2009-09-18 DISA FSO The organization defines information deemed necessary to achieve effective information system component accountability.
CCI-000399 draft policy 2009-09-18 DISA FSO The organization develops an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability.
CCI-000400 draft policy 2009-09-18 DISA FSO The organization documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability.
CCI-000401 draft policy 2009-09-18 DISA FSO The organization maintains an inventory of information system components that includes organization-defined information deemed necessary to achieve effective property accountability.
CCI-000402 draft policy 2009-09-18 DISA FSO The organization develops an inventory of information system components that is available for review by designated organizational officials.
CCI-000403 draft policy 2009-09-18 DISA FSO The organization documents an inventory of information system components that is available for review by designated organizational officials.
CCI-000404 draft policy 2009-09-18 DISA FSO The organization maintains an inventory of information system components that is available for review by designated organizational officials.
CCI-000405 draft policy 2009-09-18 DISA FSO The organization develops an inventory of information system components that is available for audit by designated organizational officials.
CCI-000406 draft policy 2009-09-18 DISA FSO The organization documents an inventory of information system components that is available for audit by designated organizational officials.
CCI-000407 draft policy 2009-09-18 DISA FSO The organization maintains an inventory of information system components that is available for audit by designated organizational officials.
CCI-000408 draft policy 2009-09-18 DISA FSO The organization updates the inventory of information system components as an integral part of component installations.
CCI-000409 draft policy 2009-09-18 DISA FSO The organization updates the inventory of information system components as an integral part of component removals.
CCI-000410 draft policy 2009-09-18 DISA FSO The organization updates the inventory of information system components as an integral part of information system updates.
CCI-000411 draft policy 2009-09-18 DISA FSO The organization employs automated mechanisms to help maintain an up-to-date inventory of information system components.
CCI-000412 draft policy 2009-09-18 DISA FSO The organization employs automated mechanisms to help maintain a complete inventory of information system components.
CCI-000413 draft policy 2009-09-18 DISA FSO The organization employs automated mechanisms to help maintain an accurate inventory of information system components.
CCI-000414 draft policy 2009-09-18 DISA FSO The organization employs automated mechanisms to help maintain a readily available inventory of information system components.
CCI-000415 draft policy 2009-09-18 DISA FSO The organization defines the frequency of employing automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system.
CCI-000416 draft policy 2009-09-18 DISA FSO The organization employs automated mechanisms, per organization-defined frequency, to detect the presence of unauthorized hardware, software, and firmware components within the information system.
CCI-000417 draft technical 2009-09-18 DISA FSO The organization disables network access by unauthorized components/devices or notifies designated organizational officials.
CCI-000418 draft policy 2009-09-18 DISA FSO The organization includes, in the information system component inventory information, a means for identifying by name, position, and/or role, individuals responsible/accountable for administering those components.
CCI-000419 draft policy 2009-09-18 DISA FSO The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.
CCI-000420 draft policy 2009-09-18 DISA FSO The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.
CCI-000421 draft policy 2009-09-18 DISA FSO The organization develops a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.
CCI-000422 draft policy 2009-09-18 DISA FSO The organization documents a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.
CCI-000423 draft policy 2009-09-18 DISA FSO The organization implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.
CCI-000424 draft policy 2009-09-18 DISA FSO The organization develops a configuration management plan for the information system that defines the configuration items for the information system.
CCI-000425 draft policy 2009-09-18 DISA FSO The organization documents a configuration management plan for the information system that defines the configuration items for the information system.
CCI-000426 draft policy 2009-09-18 DISA FSO The organization implements a configuration management plan for the information system that defines the configuration items for the information system.
CCI-000427 draft policy 2009-09-18 DISA FSO The organization develops a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management.
CCI-000428 draft policy 2009-09-18 DISA FSO The organization documents a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management.
CCI-000429 draft policy 2009-09-18 DISA FSO The organization implements a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management.
CCI-000430 draft policy 2009-09-18 DISA FSO The organization develops a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle.
CCI-000431 draft policy 2009-09-18 DISA FSO The organization documents a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle.
CCI-000432 draft policy 2009-09-18 DISA FSO The organization implements a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle.
CCI-000433 draft policy 2009-09-18 DISA FSO The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.
CCI-000434 draft policy 2009-09-18 DISA FSO The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.
CCI-000435 draft policy 2009-09-18 DISA FSO The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.
CCI-000436 draft policy 2009-09-18 DISA FSO The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development.
CCI-000437 draft policy 2009-09-18 DISA FSO The organization defines the frequency with which to review and update the current contingency planning policy.
CCI-000438 draft policy 2009-09-18 DISA FSO The organization develops and documents a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000439 draft policy 2009-09-18 DISA FSO The organization disseminates a contingency planning policy to organization-defined personnel or roles.
CCI-000440 draft policy 2009-09-18 DISA FSO The organization reviews and updates the current contingency planning policy in accordance with an organization-defined frequency.
CCI-000441 draft policy 2009-09-18 DISA FSO The organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.
CCI-000443 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that identifies essential missions.
CCI-000444 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that identifies essential business functions.
CCI-000445 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that identifies associated contingency requirements.
CCI-000446 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that provides recovery objectives.
CCI-000447 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that provides restoration priorities.
CCI-000448 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that provides metrics.
CCI-000449 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information.
CCI-000450 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system disruption.
CCI-000451 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system disruption.
CCI-000452 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system compromise.
CCI-000453 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system compromise.
CCI-000454 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system failure.
CCI-000455 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system failure.
CCI-000456 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented.
CCI-000457 draft policy 2009-09-18 DISA FSO The organization develops a contingency plan for the information system that is reviewed and approved by organization-defined personnel or roles.
CCI-000458 draft policy 2009-09-18 DISA FSO The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan.
CCI-000459 draft policy 2009-09-18 DISA FSO The organization distributes copies of the contingency plan to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.
CCI-000460 draft policy 2009-09-18 DISA FSO The organization coordinates contingency planning activities with incident handling activities.
CCI-000461 draft policy 2009-09-18 DISA FSO The organization defines the frequency with which to review the contingency plan for the information system.
CCI-000462 draft policy 2009-09-18 DISA FSO The organization reviews the contingency plan for the information system in accordance with organization-defined frequency.
CCI-000463 draft policy 2009-09-18 DISA FSO The organization updates the contingency plan to address changes to the organization.
CCI-000464 draft policy 2009-09-18 DISA FSO The organization updates the contingency plan to address changes to the information system.
CCI-000465 draft policy 2009-09-18 DISA FSO The organization updates the contingency plan to address changes to the environment of operation.
CCI-000466 draft policy 2009-09-18 DISA FSO The organization updates the contingency plan to address problems encountered during contingency plan implementation, execution, or testing.
CCI-000468 draft policy 2009-09-18 DISA FSO The organization communicates contingency plan changes to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.
CCI-000469 draft policy 2009-09-18 DISA FSO The organization coordinates contingency plan development with organizational elements responsible for related plans.
CCI-000470 draft policy 2009-09-18 DISA FSO The organization conducts capacity planning so that necessary capacity for information processing exists during contingency operations.
CCI-000471 draft policy 2009-09-18 DISA FSO The organization conducts capacity planning so that necessary capacity for telecommunications exists during contingency operations.
CCI-000472 draft policy 2009-09-18 DISA FSO The organization conducts capacity planning so that necessary capacity for environmental support exists during contingency operations.
CCI-000473 draft policy 2009-09-18 DISA FSO The organization defines the time period for planning the resumption of essential missions as a result of contingency plan activation.
CCI-000474 draft policy 2009-09-18 DISA FSO The organization defines the time period for planning the resumption of essential business functions as a result of contingency plan activation.
CCI-000475 draft policy 2009-09-18 DISA FSO The organization plans for the resumption of essential missions within the organization-defined time period of contingency plan activation.
CCI-000476 draft policy 2009-09-18 DISA FSO The organization plans for the resumption of essential business functions within the organization-defined time period of contingency plan activation.
CCI-000477 draft policy 2009-09-18 DISA FSO The organization defines the time period for planning the resumption of all missions as a result of contingency plan activation.
CCI-000478 draft policy 2009-09-18 DISA FSO The organization defines the time period for planning the resumption of all business functions as a result of contingency plan activation.
CCI-000479 draft policy 2009-09-18 DISA FSO The organization plans for the resumption of all missions within an organization-defined time period of contingency plan activation.
CCI-000480 draft policy 2009-09-18 DISA FSO The organization plans for the resumption of all business functions within an organization-defined time period of contingency plan activation.
CCI-000481 draft policy 2009-09-18 DISA FSO The organization plans for the continuance of essential missions with little or no loss of operational continuity.
CCI-000482 draft policy 2009-09-18 DISA FSO The organization plans for the continuance of essential business functions with little or no loss of operational continuity.
CCI-000483 draft policy 2009-09-18 DISA FSO The organization plans for the transfer of essential missions to alternate processing and/or storage sites with little or no loss of operational continuity.
CCI-000484 draft policy 2009-09-18 DISA FSO The organization plans for the transfer of essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity.
CCI-000485 draft policy 2009-09-21 DISA FSO The organization defines the frequency of refresher contingency training to information system users.
CCI-000486 draft policy 2009-09-21 DISA FSO The organization provides contingency training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming a contingency role or responsibility.
CCI-000487 draft policy 2009-09-21 DISA FSO The organization provides refresher contingency training to information system users consistent with assigned roles and responsibilities in accordance with organization-defined frequency.
CCI-000488 draft policy 2009-09-21 DISA FSO The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.
CCI-000489 draft policy 2009-09-21 DISA FSO The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.
CCI-000490 draft policy 2009-09-21 DISA FSO The organization defines the frequency with which to test the contingency plan for the information system.
CCI-000491 draft policy 2009-09-21 DISA FSO The organization defines the frequency to exercise the contingency plan for the information system.
CCI-000492 draft policy 2009-09-21 DISA FSO The organization defines contingency plan tests to be conducted for the information system.
CCI-000493 draft policy 2009-09-21 DISA FSO The organization defines contingency plan exercises to be conducted for the information system.
CCI-000494 draft policy 2009-09-21 DISA FSO The organization tests the contingency plan for the information system in accordance with organization-defined frequency using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan.
CCI-000495 draft policy 2009-09-21 DISA FSO The organization exercises the contingency plan using organization-defined exercises in accordance with organization-defined frequency.
CCI-000496 draft policy 2009-09-21 DISA FSO The organization reviews the contingency plan test results.
CCI-000497 draft policy 2009-09-21 DISA FSO The organization initiates corrective actions, if needed, after reviewing the contingency plan test results.
CCI-000498 draft policy 2009-09-21 DISA FSO The organization coordinates contingency plan testing with organizational elements responsible for related plans.
CCI-000499 draft policy 2009-09-21 DISA FSO The organization coordinates contingency plan exercises with organizational elements responsible for related plans.
CCI-000500 draft policy 2009-09-21 DISA FSO The organization tests the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources.
CCI-000501 draft policy 2009-09-21 DISA FSO The organization exercises the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site^s capabilities to support contingency operations.
CCI-000502 draft policy 2009-09-21 DISA FSO The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.
CCI-000503 draft policy 2009-09-21 DISA FSO The organization employs automated mechanisms to more thoroughly and effectively exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic exercise scenarios and environments, and more effectively stressing the information and supported missions.
CCI-000504 draft policy 2009-09-21 DISA FSO The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.
CCI-000505 draft policy 2009-09-21 DISA FSO The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information.
CCI-000506 draft policy 2009-09-21 DISA FSO The organization initiates necessary alternate storage site agreements to permit the storage and recovery of information system backup information.
CCI-000507 draft policy 2009-09-21 DISA FSO The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
CCI-000508 draft policy 2009-09-21 DISA FSO The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
CCI-000509 draft policy 2009-09-21 DISA FSO The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.
CCI-000510 draft policy 2009-09-21 DISA FSO The organization defines the time period consistent with recovery time and recovery point objectives for essential missions/business functions to permit the transfer and resumption of organization-defined information system operations at an alternate processing site when the primary processing capabilities are unavailable.
CCI-000511 draft policy 2009-09-21 DISA FSO The organization defines the time period for achieving the recovery time objectives for business functions within which processing must be resumed at the alternate processing site.
CCI-000512 draft policy 2009-09-21 DISA FSO The organization establishes an alternate processing site.
CCI-000513 draft policy 2009-09-21 DISA FSO The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.
CCI-000514 draft policy 2009-09-21 DISA FSO The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.
CCI-000515 draft policy 2009-09-21 DISA FSO The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption.
CCI-000516 draft policy 2009-09-21 DISA FSO The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.
CCI-000517 draft policy 2009-09-21 DISA FSO The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.
CCI-000518 draft policy 2009-09-21 DISA FSO The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organizational availability requirements (including recovery time objectives).
CCI-000519 draft policy 2009-09-21 DISA FSO The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential missions.
CCI-000520 draft policy 2009-09-21 DISA FSO The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential business functions.
CCI-000521 draft policy 2009-09-21 DISA FSO The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
CCI-000522 draft policy 2009-09-21 DISA FSO The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential missions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CCI-000523 draft policy 2009-09-21 DISA FSO The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential business functions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CCI-000524 draft policy 2009-09-21 DISA FSO The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CCI-000525 draft policy 2009-09-21 DISA FSO The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential business functions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CCI-000526 draft policy 2009-09-21 DISA FSO The organization develops primary telecommunications service agreements that contain priority-of-service provisions in accordance with the organization^s availability requirements (including recovery time objectives).
CCI-000527 draft policy 2009-09-21 DISA FSO The organization develops alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization^s availability requirements (including recovery time objectives).
CCI-000528 draft policy 2009-09-21 DISA FSO The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary telecommunications services are provided by a common carrier.
CCI-000529 draft policy 2009-09-21 DISA FSO The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the alternate telecommunications services are provided by a common carrier.
CCI-000530 draft policy 2009-09-21 DISA FSO The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
CCI-000531 draft policy 2009-09-21 DISA FSO The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
CCI-000532 draft policy 2009-09-21 DISA FSO The organization requires primary telecommunications service providers to have contingency plans.
CCI-000533 draft policy 2009-09-21 DISA FSO The organization requires alternate telecommunications service providers to have contingency plans.
CCI-000534 draft policy 2009-09-21 DISA FSO The organization defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives.
CCI-000535 draft policy 2009-09-21 DISA FSO The organization conducts backups of user-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives.
CCI-000536 draft policy 2009-09-21 DISA FSO The organization defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives.
CCI-000537 draft policy 2009-09-21 DISA FSO The organization conducts backups of system-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives.
CCI-000538 draft policy 2009-09-21 DISA FSO The organization defines the frequency of conducting information system documentation backups, including security-related documentation, to support recovery time objectives and recovery point objectives.
CCI-000539 draft policy 2009-09-21 DISA FSO The organization conducts backups of information system documentation, including security-related documentation, per an organization-defined frequency that is consistent with recovery time and recovery point objectives.
CCI-000540 draft policy 2009-09-21 DISA FSO The organization protects the confidentiality, integrity, and availability of backup information at storage locations.
CCI-000541 draft policy 2009-09-21 DISA FSO The organization defines the frequency with which to test backup information to verify media reliability and information integrity.
CCI-000542 draft policy 2009-09-21 DISA FSO The organization tests backup information per an organization-defined frequency to verify media reliability and information integrity.
CCI-000543 draft policy 2009-09-21 DISA FSO The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.
CCI-000544 draft policy 2009-09-21 DISA FSO The organization stores backup copies of the operating system in a separate facility or in a fire-rated container that is not colocated with the operational system.
CCI-000545 draft policy 2009-09-21 DISA FSO The organization stores backup copies of critical information system software in a separate facility or in a fire-rated container that is not colocated with the operational system.
CCI-000546 draft policy 2009-09-21 DISA FSO The organization stores backup copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not colocated with the operational system.
CCI-000547 draft policy 2009-09-21 DISA FSO The organization defines the time period and transfer rate of the information system backup information to the alternate storage site consistent with the recovery time and recovery point objectives.
CCI-000548 draft policy 2009-09-21 DISA FSO The organization transfers information system backup information to the alternate storage site in accordance with the organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives.
CCI-000549 draft policy 2009-09-21 DISA FSO The organization maintains a redundant secondary information system that is not collocated with the primary system.
CCI-000550 draft policy 2009-09-21 DISA FSO The organization provides for the recovery and reconstitution of the information system to a known state after a disruption.
CCI-000551 draft policy 2009-09-21 DISA FSO The organization provides for the recovery and reconstitution of the information system to a known state after a compromise.
CCI-000552 draft policy 2009-09-21 DISA FSO The organization provides for the recovery and reconstitution of the information system to a known state after a failure.
CCI-000553 draft policy 2009-09-21 DISA FSO The information system implements transaction recovery for systems that are transaction-based.
CCI-000554 draft policy 2009-09-21 DISA FSO The organization defines in the security plan, explicitly or by reference, the circumstances that can inhibit recovery and reconstitution of the information system to a known state.
CCI-000555 draft policy 2009-09-21 DISA FSO The organization provides compensating security controls for organization-defined circumstances that can inhibit recovery and reconstitution of the information system to a known state.
CCI-000556 draft policy 2009-09-21 DISA FSO The organization defines restoration time periods within which to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components.
CCI-000557 draft policy 2009-09-21 DISA FSO The organization provides the capability to restore information system components within organization-defined restoration time periods from configuration-controlled and integrity-protected information representing a known, operational state for the components.
CCI-000558 draft policy 2009-09-21 DISA FSO The organization defines the real-time or near-real-time failover capability to be provided for the information system.
CCI-000559 draft policy 2009-09-21 DISA FSO The organization provides real-time or near-real-time organization-defined failover capability for the information system.
CCI-000560 draft policy 2009-09-21 DISA FSO The organization protects backup and restoration hardware.
CCI-000561 draft policy 2009-09-21 DISA FSO The organization protects backup and restoration firmware.
CCI-000562 draft policy 2009-09-21 DISA FSO The organization protects backup and restoration software.
CCI-000563 draft policy 2009-09-21 DISA FSO The organization develops and documents a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000564 draft policy 2009-09-21 DISA FSO The organization disseminates a security planning policy to organization-defined personnel or roles.
CCI-000565 deprecated policy 2009-09-21 DISA FSO The organization reviews/updates, per organization-defined frequency, a formal, documented security planning policy.
CCI-000566 draft policy 2009-09-21 DISA FSO The organization develops and documents procedures to facilitate the implementation of the security planning policy and associated security planning controls.
CCI-000567 draft policy 2009-09-21 DISA FSO The organization disseminates security planning procedures to organization-defined personnel or roles.
CCI-000568 draft policy 2009-09-21 DISA FSO The organization reviews and updates the current security planning procedures in accordance with organization-defined frequency.
CCI-000570 draft policy 2009-09-21 DISA FSO The organization develops a security plan for the information system that is consistent with the organization^s enterprise architecture; explicitly defines the authorization boundary for the system; describes the operational context of the information system in terms of mission and business processes; provides the security category and impact level of the information system, including supporting rationale; describes the operational environment for the information system; describes relationships with, or connections to, other information systems; provides an overview of the security requirements for the system; and describes the security controls in place or planned for meeting those requirements, including a rationale for the tailoring and supplemental decisions.
CCI-000571 draft policy 2009-09-21 DISA FSO The organization^s security plan for the information system is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
CCI-000572 draft policy 2009-09-21 DISA FSO The organization defines the frequency for reviewing the security plan for the information system.
CCI-000573 draft policy 2009-09-21 DISA FSO The organization reviews the security plan for the information system in accordance with organization-defined frequency.
CCI-000574 draft policy 2009-09-21 DISA FSO The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
CCI-000576 draft policy 2009-09-21 DISA FSO The organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum: the purpose of the system; a description of the system architecture; the security authorization schedule; and the security categorization and associated factors considered in determining the categorization.
CCI-000577 draft policy 2009-09-21 DISA FSO The organization defines the frequency with which to review and update the security CONOPS.
CCI-000578 draft policy 2009-09-21 DISA FSO The organization reviews and updates the security CONOPS in accordance with organization-defined frequency.
CCI-000580 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains external interfaces.
CCI-000581 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains the information being exchanged across the interfaces.
CCI-000582 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains the protection mechanisms associated with each interface.
CCI-000583 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains user roles.
CCI-000584 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains the access privileges assigned to each role.
CCI-000585 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains unique security requirements.
CCI-000586 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains types of information processed by the information system.
CCI-000587 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains types of information stored by the information system.
CCI-000588 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains types of information transmitted by the information system.
CCI-000589 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains any specific protection needs in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
CCI-000590 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains restoration priority of information.
CCI-000591 draft policy 2009-09-21 DISA FSO The organization develops a functional architecture for the information system that identifies and maintains restoration priority of information system services.
CCI-000592 draft policy 2009-09-21 DISA FSO The organization establishes the rules describing the responsibilities and expected behavior, with regard to information and information system usage, for individuals requiring access to the information system.
CCI-000593 draft policy 2009-09-21 DISA FSO The organization receives a signed acknowledgment from individuals requiring access to the information system, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system.
CCI-000594 draft policy 2009-09-21 DISA FSO The organization includes in the rules of behavior explicit restrictions on the use of social media/networking sites.
CCI-000595 draft policy 2009-09-21 DISA FSO The organization includes in the rules of behavior explicit restrictions on posting organizational information on public websites.
CCI-000596 draft policy 2009-09-21 DISA FSO The organization includes in the rules of behavior, explicit restrictions on sharing information system account information.
CCI-000597 draft policy 2009-09-21 DISA FSO The organization conducts a privacy impact assessment on the information system in accordance with OMB policy.
CCI-000598 draft policy 2009-09-21 DISA FSO The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation).
CCI-000599 draft policy 2009-09-21 DISA FSO The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational assets.
CCI-000600 draft policy 2009-09-21 DISA FSO The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational individuals.
CCI-000601 draft policy 2009-09-21 DISA FSO The organization defines the frequency with which to review and update the current system and services acquisition policy.
CCI-000602 draft policy 2009-09-21 DISA FSO The organization develops and documents a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000603 draft policy 2009-09-21 DISA FSO The organization disseminates to organization-defined personnel or roles a system and services acquisition policy.
CCI-000604 draft policy 2009-09-21 DISA FSO The organization reviews and updates the current system and services acquisition policy in accordance with organization-defined frequency.
CCI-000605 draft policy 2009-09-21 DISA FSO The organization develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.
CCI-000606 draft policy 2009-09-21 DISA FSO The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.
CCI-000607 draft policy 2009-09-21 DISA FSO The organization reviews and updates the current system and services acquisition procedures in accordance with organization-defined frequency.
CCI-000608 draft policy 2009-09-21 DISA FSO The organization includes a determination of information security requirements for the information system in mission process planning.
CCI-000609 draft policy 2009-09-21 DISA FSO The organization includes a determination of information security requirements for the information system in business process planning.
CCI-000610 draft policy 2009-09-21 DISA FSO The organization determines the resources required to protect the information system or information system service as part of its capital planning and investment control process.
CCI-000611 draft policy 2009-09-21 DISA FSO The organization documents the resources required to protect the information system or information system service as part of its capital planning and investment control process.
CCI-000612 draft policy 2009-09-21 DISA FSO The organization allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process.
CCI-000613 draft policy 2009-09-21 DISA FSO The organization establishes a discrete line item for information security in organizational programming documentation.
CCI-000614 draft policy 2009-09-21 DISA FSO The organization establishes a discrete line item for information security in organizational budgeting documentation.
CCI-000615 draft policy 2009-09-21 DISA FSO The organization manages the information system using an organization-defined system development life cycle that incorporates information security considerations.
CCI-000616 draft policy 2009-09-21 DISA FSO The organization defines and documents information system security roles and responsibilities throughout the system development life cycle.
CCI-000617 draft policy 2009-09-21 DISA FSO The organization documents information system security roles and responsibilities throughout the system development life cycle.
CCI-000618 draft policy 2009-09-21 DISA FSO The organization identifies individuals having information system security roles and responsibilities.
CCI-000619 draft policy 2009-09-21 DISA FSO The organization includes security functional requirements/specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
CCI-000620 draft policy 2009-09-21 DISA FSO The organization includes security-related documentation requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
CCI-000621 draft policy 2009-09-21 DISA FSO The organization includes developmental and evaluation-related assurance requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
CCI-000623 draft policy 2009-09-21 DISA FSO The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.
CCI-000624 draft policy 2009-09-21 DISA FSO The organization requires in acquisition documents that vendors/contractors provide information describing the design details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls.
CCI-000625 draft policy 2009-09-21 DISA FSO The organization requires in acquisition documents that vendors/contractors provide information describing the implementation details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls.
CCI-000626 draft policy 2009-09-21 DISA FSO The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employs state-of-the-practice software and security engineering methods.
CCI-000627 draft policy 2009-09-21 DISA FSO The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employs quality control processes.
CCI-000628 draft policy 2009-09-21 DISA FSO The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development processes employ validation techniques.
CCI-000629 draft policy 2009-09-21 DISA FSO The organization ensures each information system component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment.
CCI-000630 draft policy 2009-09-21 DISA FSO The organization requires in acquisition documents, that information system components are delivered in a secure, documented configuration, and that the secure configuration is the default configuration for any software reinstalls or upgrades.
CCI-000631 draft policy 2009-09-21 DISA FSO The organization employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.
CCI-000632 deprecated policy 2009-09-21 DISA FSO The organization employs only commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.
CCI-000633 draft policy 2009-09-21 DISA FSO The organization ensures that government off-the-shelf (GOTS) or commercial-off-the-shelf(COTS) information assurance (IA) and IA-enabled information technology products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures.
CCI-000634 draft policy 2009-09-21 DISA FSO The organization limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance Partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.
CCI-000635 draft policy 2009-09-21 DISA FSO The organization requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.
CCI-000636 draft policy 2009-09-21 DISA FSO The organization obtains administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.
CCI-000637 draft policy 2009-09-21 DISA FSO The organization protects, as required, administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.
CCI-000638 draft policy 2009-09-21 DISA FSO The organization makes available to authorized personnel administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.
CCI-000639 draft policy 2009-09-21 DISA FSO The organization obtains user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.
CCI-000640 draft policy 2009-09-21 DISA FSO The organization protects, as required, user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.
CCI-000641 draft policy 2009-09-21 DISA FSO The organization makes available to authorized personnel user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.
CCI-000642 draft policy 2009-09-21 DISA FSO The organization documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent.
CCI-000643 draft policy 2009-09-21 DISA FSO The organization obtains vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.
CCI-000644 draft policy 2009-09-21 DISA FSO The organization protects, as required, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system.
CCI-000645 draft policy 2009-09-21 DISA FSO The organization makes available to authorized personnel vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.
CCI-000646 draft policy 2009-09-21 DISA FSO The organization obtains vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing.
CCI-000647 draft policy 2009-09-21 DISA FSO The organization obtains vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.
CCI-000648 draft policy 2009-09-21 DISA FSO The organization protects, as required, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system.
CCI-000650 draft policy 2009-09-21 DISA FSO The organization obtains vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.
CCI-000651 draft policy 2009-09-21 DISA FSO The organization protects, as required, vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system.
CCI-000653 draft policy 2009-09-21 DISA FSO The organization obtains the source code for the information system to permit analysis and testing.
CCI-000654 draft policy 2009-09-21 DISA FSO The organization protects, as required, the source code for the information system to permit analysis and testing.
CCI-000655 draft policy 2009-09-21 DISA FSO The organization uses software and associated documentation in accordance with contract agreements and copyright laws.
CCI-000656 draft policy 2009-09-21 DISA FSO The organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution.
CCI-000657 draft policy 2009-09-21 DISA FSO The organization controls the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.